At WorkZerk, we understand that administrators need confidence in the safety, privacy, and integrity of their data. This page outlines the measures we take to protect your information.

Platform Security

Australian Data Residency: All WorkZerk services are hosted within Microsoft Azure's Sydney data centres, ensuring your data remains in Australia and complies with local data residency requirements.

Server-Side Architecture: Our application runs on Microsoft Blazor Server (.NET 9), which keeps sensitive logic and data processing on the server. Only UI updates are transmitted to your browser over a secure SignalR connection — your data never sits exposed in client-side code.

Network Protection

Cloudflare Security: All traffic to WorkZerk passes through Cloudflare's global network, providing multiple layers of protection. and SSL/TLS termination with always-on HTTPS enforcement. Cloudflare's global edge network also improves performance by caching static assets closer to users and providing optimised routing.

Authentication and Access Control

Auth0 Identity Platform: WorkZerk uses Auth0, a leading identity management platform, to handle all administrator authentication. This provides enterprise-grade security features including secure password storage with bcrypt hashing, protection against credential stuffing and brute force attacks, and optional multi-factor authentication (MFA). Admin user password are never stored in plain text, they are encrypted with bcrypt.

Login-Free Onboardee Experience: People being onboarded (contractors, visitors, students, etc.) access their personalised portal via a secure, unique 64-character token link. This friction-free approach means no passwords to manage or reset, while maintaining security through cryptographically random tokens that cannot be guessed.

Compulsory Administrator MFA

All WorkZerk administrators are required to use multi-factor authentication (MFA) to access your workspace. This means that even if a password is compromised, your data remains protected behind a second verification step. We support authenticator apps such as Google Authenticator, Microsoft Authenticator, and Authy, with recovery codes available as a backup.

This requirement applies to every administrator account with no exceptions — so you can be confident that only properly verified personnel can view onboardee documents and compliance information.

Data Protection

Azure SQL Database: Your data is protected by transparent data encryption (TDE) at rest, automatic backups with point-in-time restore capabilities, and role-based access controls ensuring only authorised systems can access sensitive information.

Azure Blob Storage: All uploaded files (compliance documents, credentials, photos) are stored in Azure Blob Storage with AES-256 encryption at rest and secure transfer enforced via HTTPS. Files are organised by space then compartmentalised into the onboardee, and tagged with metadata and indexed for audit purposes.

Privacy by Design

Onboardee Control: People being onboarded can delete any files they've uploaded at any time before approval, giving them control over their personal documents.

One-Way Uploads: The portal is designed as a one-way submission system. Once a file is uploaded, it cannot be viewed or downloaded again by the onboardee — this prevents the portal from becoming a document repository and reduces exposure risk if a portal link were ever compromised.

Automatic File Deletion: When an administrator approves or rejects an uploaded document (such as a credential or compliance certificate), the underlying file is automatically deleted from storage. Only the approval record and relevant extracted details (such as expiry dates) are retained. Administrators can override this behaviour where business requirements necessitate keeping the original document, but deletion is the default. This approach aligns with the Australian Privacy Principles' data minimisation requirements — we don't hold onto personal documents longer than necessary to verify them.

Encryption Standards

Data in Transit: All communication between your browser and our servers is encrypted using TLS 1.2 or higher. This includes the real-time SignalR connection that powers the application.

Data at Rest: Azure's built-in encryption protects all stored data automatically — both in the database and file storage.

Email Communications

SendGrid Delivery: Transactional emails (portal invitations, notifications, password resets) are sent via SendGrid, a trusted email delivery platform with SPF, DKIM, and DMARC authentication to prevent spoofing and ensure deliverability.

WorkZerk uses Azure Functions to receive secure webhooks from SendGrid which then update email tracking information in real-time.

Monitoring and Compliance

Audit Trails: Administrative actions are logged with UTC timestamps and user identification for accountability and troubleshooting.

Compliance Certifications: The Azure platform meets global standards including ISO 27001, SOC 1/2/3, GDPR, and adheres to Australian Privacy Principles.

Your Responsibilities

While WorkZerk provides robust security infrastructure, administrators play an important role: use strong, unique passwords for your account; enable MFA; regularly review who has access to your spaces; and monitor activity for anything unusual.

Data Retention

Your data remains available while your account is active with the minimum required plan being the Starter plan. Inactive accounts may be removed at WorkZerk's discretion — see our Terms of Use for details.

Deleting a Space within WorkZerk will trigger automatic deletion of all data including uploaded files, within 24 hours.