All systems monitored continuously

Trust Center

Coworked is committed to the highest standards of security, privacy, and compliance. Explore our certifications, controls, and practices below.

SOC 2 Type II ISO 27001 HIPAA Compliant

Last updated: February 2026 · SOC 2 Type II audit completed, ISO 27001 certified, HIPAA compliance verified

Frameworks

100%

Controls Passing

AES-256

Encryption at Rest

24/7

Monitoring

Compliance Certifications

Independent, third-party validated certifications that demonstrate our commitment to protecting your data.

Active

SOC 2 Type II

Annual audit covering Security, Availability, Confidentiality, Processing Integrity, and Privacy trust service criteria.

Certified 2025 SheildByte Infosec

Active

ISO 27001

International standard for information security management systems (ISMS), covering risk assessment, security controls, and continuous improvement.

Certified 2025 SheildByte Infosec

Active

HIPAA

Full compliance with the Health Insurance Portability and Accountability Act, including administrative, physical, and technical safeguards for PHI.

Verified 2025 BAA Available

Security Highlights

Core security practices that protect your data at every level of our platform.

Encryption at Rest

AES-256 encryption for all stored data

Encryption in Transit

TLS 1.2 / 1.3 for all communications

SSO & MFA

Enforced multi-factor authentication

Vulnerability Scanning

Continuous automated scanning & pen testing

Incident Response

Defined IR plan with <24hr notification

Role-Based Access

Least-privilege access controls

Secure SDLC

Security integrated into development lifecycle

Business Continuity

Redundant infrastructure & disaster recovery

Need our security documentation?

Request access to our SOC 2 report, ISO 27001 certificate, or execute a BAA for HIPAA compliance.

Continuous Monitoring

Our security controls are continuously monitored and validated. Below is a real-time view of our security posture across key categories.

Access Control

Unique user accounts

All users have individual, authenticated accounts

Multi-factor authentication

MFA enforced for all employees and contractors

Quarterly access reviews

Access rights reviewed and validated quarterly

Offboarding within 24hrs

Access revoked within 24 hours of termination

Data Protection

Data encrypted at rest

AES-256 encryption for all stored data

Data encrypted in transit

TLS 1.2+ for all network communications

Secure key management

Hardware-backed key storage and rotation

Backup & recovery tested

Regular backup and disaster recovery testing

Monitoring & Incident Response

24/7 security monitoring

Continuous infrastructure and application monitoring

Automated threat detection

SIEM-based alerting for anomalous activity

Incident response plan

Documented and tested IR procedures

Audit logging

Comprehensive logs retained and monitored

Secure Development

Secure SDLC

Security embedded in development lifecycle

Code review required

Peer review for all production code changes

Penetration testing

Annual third-party penetration tests

Dependency scanning

Automated vulnerability scanning of dependencies

Questions about our controls?

Our security team is happy to walk through any of our controls in detail.

Subprocessors

We work with trusted third-party service providers to deliver our platform. Each subprocessor is vetted for security and compliance.

Last reviewed: February 2026 · Subscribe to receive notifications when this list changes

Subprocessor	Purpose	Data Location	Compliance
Amazon Web Services	Cloud infrastructure & hosting	United States	SOC 2, ISO 27001, HIPAA
Microsoft Azure	Cloud services & compute	United States	SOC 2, ISO 27001, HIPAA
Anthropic (Claude)	AI language model processing	United States	SOC 2, HIPAA BAA
ElevenLabs	Voice AI & speech synthesis	United States	SOC 2
SendGrid (Twilio)	Transactional email delivery	United States	SOC 2, ISO 27001
Cloudflare	CDN, DDoS protection, Workers	Global (Edge)	SOC 2, ISO 27001
Vanta	Compliance automation & monitoring	United States	SOC 2, ISO 27001
Additional subprocessors	Contact us for the complete and most up-to-date list

Need the full subprocessor list?

Request access to our complete, maintained subprocessor registry with DPA details.

Security Documents

Access our compliance reports, certifications, and security policies. Some documents require NDA or access approval.

SOC 2 Type II Report

Full audit report with controls

🔒 NDA Required

ISO 27001 Certificate

Current certification document

🔒 Request

Business Associate Agreement

HIPAA BAA template

🔒 Request

Penetration Test Summary

Latest third-party pen test results

🔒 NDA Required

Privacy Policy

How we handle your data

Public ↗

Terms of Service

Service agreement terms

Public ↗

Acceptable Use Policy

Permitted use guidelines

Public ↗

Need a custom security review?

We're happy to complete your vendor security questionnaire or provide additional documentation.

Frequently Asked Questions

Common questions about our security practices, data handling, and compliance posture.

Where is my data stored?

All customer data is stored in the United States using AWS and Azure infrastructure. Data is encrypted at rest using AES-256 and in transit using TLS 1.2/1.3. Our infrastructure is deployed across multiple availability zones for redundancy.

How do you handle data retention and deletion?

We retain customer data only for as long as necessary to provide our services. Upon contract termination or customer request, data is securely deleted within 30 days. We provide data export capabilities so you can retrieve your data at any time.

Do you support SSO and MFA?

Yes. We support SAML-based single sign-on (SSO) for enterprise customers. Multi-factor authentication (MFA) is enforced for all Coworked employees and available for all customer accounts.

Is Coworked HIPAA compliant? Can you sign a BAA?

Yes, Coworked is HIPAA compliant. We implement all required administrative, physical, and technical safeguards. We execute Business Associate Agreements (BAAs) with customers who require HIPAA compliance. Contact our security team to request a BAA.

How does Coworked handle AI data processing?

Our AI processing is designed with privacy-first principles. Customer data sent to AI models is not used for model training. We use enterprise-grade API agreements with our AI providers (including Anthropic) that include data processing agreements and, where applicable, BAAs. All AI interactions are logged and auditable.

What is your incident response process?

We maintain a documented incident response plan that is tested regularly. In the event of a security incident, affected customers are notified within 24 hours. Our incident response includes containment, investigation, remediation, and post-incident review phases.

Can you complete our vendor security questionnaire?

Yes, we regularly complete vendor security questionnaires including SIG Lite, CAIQ, and custom formats. Please submit your questionnaire to our security team and we typically respond within 5 business days.

Do you perform penetration testing?

Yes. We engage independent third-party firms to conduct annual penetration tests of our infrastructure and applications. Critical and high findings are remediated promptly. A summary of results is available upon request under NDA.

Have a question not listed here?

Our security team is happy to answer any additional security or compliance questions.

Email Security Team

Trust Center

Compliance Certifications

SOC 2 Type II

ISO 27001

HIPAA

Security Highlights

Encryption at Rest

Encryption in Transit

SSO & MFA

Vulnerability Scanning

Incident Response

Role-Based Access

Secure SDLC

Business Continuity

Need our security documentation?

Request Access