Security & compliance

Security that works for oil & gas.

SOC 2 Type II in progress. IEC 62443-aligned OT controls. Read-only SCADA integration. Open-source LLMs running in your tenant. Designed for the security teams that run the most demanding environments — upstream operators, pipeline majors, LDCs — not a horizontal SaaS that treats O&G as another vertical.

✓ SOC 2 Type II (in progress · Q4 2026)✓ IEC 62443-3-3 aligned✓ Read-only OT integration✓ Single tenant · BYOK

Principles

How we approach security for operational systems.

01

Read-only by default

WorkSync integrates read-only with every SCADA historian, CMMS, and accounting system. We cannot write setpoints, pushbutton PLC controls, or modify production records. The OT boundary is enforced in the integration layer — not a policy you have to trust us on.

02

Your tenant. Your data. Your keys.

Single-tenant architecture on SOC 2 Type II-aligned cloud (AWS/Azure). Customer-managed KMS keys for data at rest. No cross-tenant ML training — your operational data never trains a model another customer sees.

03

Open-source LLMs, your infrastructure

The agentic AI layer runs on open-source LLMs (Llama 3.x, Mistral, DeepSeek) hosted in your tenant or our dedicated US-region inference. No OpenAI / Anthropic API calls leaving your environment unless you explicitly enable them.

04

IEC 62443 thinking throughout

Zone-and-conduit segmentation. Role-based access control aligned with IEC 62443-3-3 SR 1.1 through SR 1.13. Auditable change management for every agent-triggered action. Safety is always a hard constraint, never a weight.

Controls

The specific controls your security team is going to ask about.

Identity & Access

  • SSO via SAML / OIDC (Okta, Azure AD, Google)
  • MFA required for admins
  • Role-based access control (RBAC)
  • Just-in-time privilege elevation
  • Audit logs for every access and config change

Data Protection

  • TLS 1.3 for all data in transit
  • AES-256 for data at rest
  • Customer-managed keys (BYOK/HYOK)
  • Regional data residency (US, EU)
  • Scheduled backup with 30-day retention

Application & Infrastructure

  • SOC 2 Type II (in progress · audit concludes Q4 2026)
  • Annual 3rd-party penetration test
  • Quarterly vulnerability scans
  • Code review + SAST on every commit
  • WAF + DDoS mitigation in front of public endpoints

OT Integration Controls

  • Read-only SCADA integration (unidirectional data flow)
  • Network-segmented OT connectors with allowlisted endpoints
  • No direct control-system writes from WorkSync
  • IEC 62443-3-3 alignment (SR 1.1, 1.4, 1.7, 1.10)
  • Optional on-prem edge connector for air-gapped deployments

AI / Agentic Controls

  • Open-source LLMs (Llama 3, Mistral, DeepSeek) — no third-party API calls by default
  • Dedicated US-region inference · no data retention by model providers
  • Human-in-loop approval for all automated writes
  • Hard safety constraints cannot be overridden by agents
  • Full audit trail for every agent-triggered action

Compliance Scope

  • SOC 2 Type II (in progress)
  • IEC 62443-3-3 aligned OT controls
  • OSHA PSM-ready workflows
  • API RP 75 / SEMS-ready workflows
  • GDPR + CCPA data handling

Security FAQ

Does WorkSync control any field equipment?

No. WorkSync is read-only against SCADA and OT systems by default. We ingest alarms, tags, and production data; we do not write setpoints, modify PLC logic, or issue pushbutton-equivalent commands. Operators execute in the field — the platform ranks, they act.

Where does our operational data live?

Single-tenant in a region you choose (US-East, US-West, or EU). Customer-managed KMS keys for data at rest. We do not cross-train ML models on your data — your operational data never improves another customer's model.

Are you SOC 2 certified?

SOC 2 Type II audit is in progress with audit completion expected Q4 2026. Type I readiness complete. All Type II controls are operating today; we're in the observation window. SOC 2 Type I report available under NDA.

What LLMs do you use?

Default deployment uses open-source LLMs (Llama 3.x, Mistral, DeepSeek) in our dedicated US-region inference pool — no third-party API calls, no data retention by any external model provider. Customers can also deploy the agent layer to their own VPC with their own LLM inference.

How do you align with IEC 62443?

WorkSync's OT integration follows IEC 62443-3-3 System Requirements (SR 1.1, 1.4, 1.7, 1.10 for identification, authentication, integrity, and session management) and 62443-4-2 component requirements where applicable. Zone-and-conduit segmentation between IT and OT is enforced by the edge connector architecture.

Do you support air-gapped / on-prem deployment?

Yes. An on-prem edge connector can run WorkSync's integration and agent layer entirely inside your network, with egress only to the web UI and customer-initiated sync. For operators with strict air-gap requirements (upstream majors, pipeline super-regionals), this is the default pattern.

Can I review your security documentation before a pilot?

Yes — reach out via /contact and we'll share the SOC 2 Type I report, pen-test executive summary, architecture diagrams, and OT integration threat model under NDA. Typical security review takes 1-2 weeks before a pilot kickoff.

Security review before pilot? We expect it.

Reach out and we'll share the SOC 2 Type I report, architecture diagrams, and OT integration threat model under NDA. Typical security review takes 1-2 weeks before pilot kickoff.

Request security documentationApply for the Free Pilot

Security questions: [email protected]