Legal

Security

Technical and organisational measures Workclave applies to protect customer data — encryption, authentication, access controls, audit logging, and incident response.

Last updated: April 2026Security questions? hello@mecverse.comDPDP CompliancePrivacy Policy
Encryption
AES-256 + TLS 1.3
Auth tokens
15-min JWT + rotation
Audit logs
12-month retention

1. Encryption in transit

  • All communication between clients (web app, mobile app, API consumers) and Workclave servers is encrypted using TLS 1.2 or TLS 1.3. Connections using older protocols are rejected.
  • We enforce HTTP Strict Transport Security (HSTS) with a minimum max-age of 12 months on all production domains.
  • API tokens and session credentials are transmitted only over encrypted channels. They are never included in URL query parameters.

2. Encryption at rest

  • All production databases, file storage, and backup volumes are encrypted at rest using AES-256.
  • Encryption keys are managed through a dedicated key management service and rotated on a defined schedule.
  • Backup encryption uses independent keys from primary storage to limit blast radius in the event of a key compromise.

3. Authentication and session management

  • Workclave uses short-lived JWT access tokens (15-minute expiry) paired with refresh tokens. Refresh tokens are rotated on use and invalidated on logout.
  • Passwords are hashed using bcrypt with a work factor calibrated to current hardware benchmarks. Plaintext passwords are never stored or logged.
  • Magic-link and OTP-based authentication options are available. All OTP codes are single-use and expire within 10 minutes.
  • Failed login attempts trigger exponential back-off. Accounts are temporarily locked after repeated failures to prevent credential stuffing.

4. Access controls

  • Workclave implements role-based access control (RBAC) across all workspace operations. Roles include Owner, Admin, Manager, and Member with distinct permission scopes.
  • Production database and infrastructure access is restricted to a named set of personnel. All production access requires multi-factor authentication.
  • Access is granted on a least-privilege basis. Staff members receive the minimum access needed for their specific function.
  • Access rights are reviewed quarterly. Terminated or role-changed individuals are deprovisioned within 24 hours.

5. Audit logging

  • All authentication events (login, logout, token refresh, failed attempts) are logged with timestamp, IP address, and device fingerprint.
  • All administrative actions — session approvals, role changes, workspace configuration edits, and data exports — are recorded in an immutable audit log.
  • Audit logs are retained for a minimum of 12 months and can be exported by workspace administrators for compliance purposes.
  • Log integrity is protected — logs cannot be modified or deleted by application-layer operations.

6. Infrastructure and network security

  • Workclave is deployed on cloud infrastructure with network segmentation. Application servers, database servers, and backend services run in separate network zones with explicit allow-list firewall rules.
  • Public-facing services are protected by a web application firewall (WAF) configured to block OWASP Top 10 attack patterns including SQL injection, XSS, and CSRF.
  • Rate limiting is enforced on all public API endpoints. Authentication endpoints apply stricter limits to prevent brute-force and credential stuffing attacks.
  • Dependency scanning runs on every code push. Known vulnerable packages are flagged and patched within the next release cycle.

7. Application security

  • Workclave follows OWASP secure coding guidelines. Common vulnerabilities (injection, broken authentication, insecure direct object references, mass assignment) are tested during code review.
  • All user-supplied input is validated and sanitised server-side before any database operation or response rendering.
  • Content Security Policy (CSP) headers are set on all pages. Third-party scripts are loaded only from allow-listed origins.
  • API endpoints use explicit schema validation. Requests with unexpected or malformed fields are rejected with a 400 error before reaching business logic.

8. Employee and contractor security

  • All Workclave staff and contractors with access to production systems undergo background verification before access is granted.
  • Security awareness training is conducted at onboarding and annually thereafter.
  • Personal devices used for work must meet minimum security configuration requirements including full-disk encryption and screen lock.
  • Staff are prohibited from storing customer data on personal devices or unapproved cloud storage services.

9. Incident response

  • Workclave maintains a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review.
  • Security incidents are classified by severity. Critical incidents (data breach, authentication bypass, service unavailability) are escalated immediately with 24/7 on-call response.
  • In the event of a confirmed personal data breach, affected customers are notified within 72 hours with the nature of the incident, scope, and remediation steps.
  • Post-incident reviews are conducted for all severity-1 incidents. Findings and remediation actions are documented internally.

10. Vulnerability disclosure

  • If you discover a security vulnerability in Workclave, please report it responsibly to hello@mecverse.com with subject line 'Security Disclosure'.
  • We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate.
  • We commit to acknowledging receipt of valid reports within 2 business days, providing a status update within 7 days, and notifying you when the vulnerability is resolved.
  • We do not pursue legal action against researchers who act in good faith and follow responsible disclosure principles.

11. Data deletion and portability

  • Customers can export all workspace data (sessions, approvals, member records, reports) from the admin dashboard at any time in CSV format.
  • On subscription cancellation or account closure, customer data is retained for 90 days to allow final export, then permanently deleted from all production systems and backup rotation.
  • Deletion requests outside the standard offboarding flow can be submitted to help@mecverse.com. Deletion is completed within 30 days and confirmed in writing.

12. Third-party security and subprocessors

  • All subprocessors handling customer personal data are evaluated for security posture before onboarding. We review their security certifications, DPA terms, and breach notification commitments.
  • Workclave does not sell customer data to third parties. Subprocessors receive only the minimum data required to perform their specific function.
  • A current list of subprocessors is available on request at hello@mecverse.com.

Found a vulnerability? Report it responsibly to hello@mecverse.com — we acknowledge within 2 business days.