Skip to content

Security and Compliance: GDPR, HIPAA, and CCPA

This article covers the most common compliance and security questions we hear from users.

GDPR

Is WebWork GDPR compliant?

Yes. WebWork complies with the EU’s General Data Protection Regulation (GDPR), which became enforceable on May 25, 2018. GDPR sets strict rules for how organizations collect, process, and store personal data belonging to EU citizens.

WebWork has reviewed its infrastructure (both hardware and software) to ensure personal data is fully protected at every point of collection and processing. Compliance is treated as an ongoing process as we continuously work to maintain and strengthen our data practices.

All data you provide to WebWork when using the tracker is used solely to deliver the service you’ve signed up for. We do not sell your data. For full details, see our Privacy Policy and Sub-Processors list.

Where is my data stored? Is it inside the EU?

Your data is stored on Amazon Web Services (AWS) S3 Cloud and Contabo servers. Both providers offer strong, state-of-the-art infrastructure for secure data storage.

If your organization requires data residency within the EU specifically, please reach out to our support team at [email protected] to discuss your requirements.

How do I get a Data Processing Agreement (DPA) from WebWork?

To request a Data Processing Agreement, contact us at [email protected] or [email protected].
Please include your company name and the nature of your request, and our team will follow up with next steps.

How do I respond to an employee’s GDPR data access request?

Under GDPR, individuals have the right to request access to their personal data. As a WebWork customer, you act as the data controller for your workspace, meaning you are responsible for managing and responding to data subject requests from your employees.

Here’s how to handle the request:

If an employee wants to access their data: You can export tracked data (timesheets, activity logs, screenshots) from your WebWork workspace and share the relevant records with the employee.

If an employee wants their data deleted: Contact us at [email protected] to submit a deletion request. Note that WebWork permanently deletes personal and workspace data after 6 consecutive months of account inactivity, in line with our data retention policy.

HIPAA

Is WebWork HIPAA compliant?

Yes. WebWork Time Tracker complies with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, as amended by the HITECH Act of 2009, along with all associated regulations.

To meet HIPAA requirements, WebWork has implemented strict administrative, physical, and technical safeguards, including:

  • Encryption of data both in transit and at rest
  • Regular risk assessments and system audits
  • Strict access controls limiting who can view sensitive data
  • Exclusive use of HIPAA-compliant third-party services

Can we use WebWork in a healthcare environment with patient data on screen?

Yes, WebWork can be used in healthcare environments. Because WebWork is HIPAA compliant, it includes the safeguards required to handle environments where Protected Health Information (PHI) may be present, for example, if a screenshot captures a screen that contains patient data.

That said, as the employer and data controller, your organization is responsible for ensuring that your internal use of WebWork aligns with your own HIPAA policies. This includes configuring screenshot frequency appropriately, managing access controls within your workspace, and ensuring employees understand what is being monitored.

If your organization requires a Business Associate Agreement (BAA), WebWork offers one. Contact our support team at [email protected] to request a signed BAA.

CCPA

How does WebWork comply with CCPA?

WebWork fully complies with the California Consumer Privacy Act (CCPA), which gives California residents specific rights over their personal information.

Under CCPA, WebWork provides:

  • Transparency about what data is collected, why it’s collected, and how it’s shared
  • Right to know — users can request to see what categories of personal information WebWork holds about them
  • Right to deletion — users can request that their personal data be deleted
  • Right to non-discrimination — exercising your CCPA rights will not affect your access to WebWork’s services

WebWork collects only the data necessary to provide and improve its time tracking, productivity monitoring, and project management services.

How do I submit a CCPA data deletion request?

To submit a deletion request under CCPA, contact us at [email protected]. Include your name, account email, and a note that you are submitting a CCPA deletion request. Our team will verify your identity and process the request in accordance with CCPA timelines.

Encryption & Authentication

Does WebWork support two-factor authentication (2FA)?

Yes. WebWork supports multi-factor authentication, adding an extra layer of security to the login process. For enterprise SSO, WebWork integrates with Microsoft Entra ID and Okta, allowing organizations to enforce their own identity and access management policies across the workspace.

If you need help setting up 2FA or SSO for your team, contact [email protected].

Is data encrypted in transit and at rest?

Yes, data is encrypted both in transit and at rest.

In transit: All data transmitted between your device and WebWork’s servers is encrypted using RapidSSL TLS RSA CA G1 wildcard certificate issued by DigiCert Inc.

At rest: All data stored on WebWork’s servers is encrypted using AES-256 encryption — a widely recognized industry standard for secure data storage. Passwords are hashed to prevent exposure in the event of a breach.

What encryption standard does WebWork use for screenshots?

Screenshots go through a multi-step encryption process designed specifically for this type of sensitive content.

First, each screenshot is assigned a unique token that acts as an individual identifier, making unauthorized access to any single screenshot significantly harder. Then, each file is encrypted using industry-standard encryption, protecting it both in storage and during transmission.

This approach means that even if one layer of security were somehow compromised, the additional layers continue to protect the file. For more technical detail, see WebWork’s Security Innovations page.

Reporting Security Issues

How do I report a security vulnerability to WebWork?

If you’ve discovered a security vulnerability or potential weakness in WebWork’s systems, please report it to us at [email protected]. You can also use the Share a Concern form on our Privacy and Security page.

We review all reports seriously and respond as quickly as possible. Responsible disclosure helps us protect all users, and we appreciate the effort it takes to report issues properly.

Where do I report a data breach or privacy concern?

For suspected data breaches or privacy concerns involving your WebWork account or workspace data, contact us immediately:

Please include as much detail as possible: what you observed, when it occurred, and which account or data was affected. Our team will investigate and follow up with you directly.

You can also monitor our Security Updates page for any platform-wide security notices.

Was this article helpful?