How we secure your work.

Workhouse's strongest security claim is structural: the boundary between internal and client-visible data is in the database, not the UI. Portal queries filter on a visibility = 'client' clause. Internal rows are never loaded for client sessions. A guessed URL returns a 404, not a 403. See the visibility feature page for detail.

• → Email + password via Better Auth. Passwords are hashed with bcrypt (cost factor 12).
• → Session cookies are HTTP-only, Secure (production), SameSite=Lax. Cookie prefix is project-scoped.
• → Email verification is required for new accounts. Reset flow uses signed, time-bound tokens delivered via Resend.
• → Rate limiting on sign-in, sign-up, and password reset — per-IP and per-email. Throttles credential stuffing and password-reset spam.

• → Granular permission model. Permissions are flat string atoms (workspace:configure, project:update) bundled into roles. Custom roles per workspace.
• → Built-in roles include Owner, Admin, Member, Billing-only, Read-only Auditor, Team Lead, and Team Member. Each enforces a specific permission set at the server action layer.
• → Scope enforcement. Every read query carries a scope predicate (teamId for internal, workspaceId + clientId for portal) so cross-tenant data leakage is structurally prevented.

• → In transit: TLS 1.2+ everywhere. HSTS (max-age=63072000, includeSubDomains, preload) on production.
• → At rest: Database storage is encrypted by Neon (AES-256). File uploads are encrypted by Vercel Blob.
• → Secrets: Application secrets stored in Vercel's encrypted environment variables. No secrets in source control.

Every state-changing action is recorded in an immutable, append-only audit log. Included on every workspace — not Enterprise-tier-gated. The log covers authentication events, permission changes, task lifecycle, approvals, and admin actions. See the audit log feature page for the full event schema.

Workhouse runs on a focused set of vendors. Each receives the minimum data required to do their job.

• → Vercel — hosting (Next.js + Fluid Compute), edge network, Blob storage (file uploads).
• → Neon — managed Postgres. All workspace data lives here.
• → Resend — transactional email (notifications, password reset, verification, digests).
• → Anthropic via Vercel AI Gateway — drafts status reports from your activity. The Gateway's policy is zero data retention; inputs and outputs are not retained for training.

For agencies that wire Workhouse to external services via webhook endpoints, the outbound delivery layer validates destination URLs at write time (rejecting private/loopback addresses) and re-validates at delivery time via DNS resolution. The HTTP client also refuses to follow redirects to private addresses. This closes the typical SSRF-via-webhook vector that most platforms leave open.

Webhook payloads are signed with HMAC-SHA256; verification uses constant-time comparison.

• → Region. Primary infrastructure runs in the US (us-east). Vercel's edge network serves cached assets globally.
• → Backups. Neon manages database backups (point-in-time restore, 7-day retention on standard plans).
• → Export. Workspace data is exportable at any time. Email support@workhouse.app or use the in-product export (where available).
• → Deletion. Delete a workspace and primary-storage data is removed within 30 days; backups age out within 90.

For agencies serving EU clients or regulated industries, we offer a Data Processing Agreement. Email security@workhouse.app to request the DPA. See /data-processing for the standard sub-processor list and processing terms.

We take responsible disclosure seriously. If you've found a vulnerability, email security@workhouse.app. First-response within 1 business day. We don't currently run a paid bug bounty, but we credit valid disclosures publicly (with your permission) and ship fixes fast.

Don't probe production tenants you're not authorized for; we're happy to provide test workspaces for security research on request.

In the event of a security incident affecting customer data, we notify affected workspace owners within 72 hours of confirming the incident. Status of the investigation is communicated via email to those owners; if the incident is widespread, we publish a status page update.

Workhouse is in public beta — we're building our incident response process in parallel with the rest of the product. The 72-hour notification commitment is what we hold ourselves to today; we'll formalize SLAs as we move toward paid plans and SOC 2.

We don't have SOC 2 yet. Roadmap items relevant to security-conscious buyers: SSO/SAML for workspace authentication, dedicated SOC 2 Type II audit, customer- managed encryption keys, and EU data residency. Email security@workhouse.app if any of these are blocking your adoption.