WalkMe Security

  • WalkMe meets the most extensive compliance standards
  • WalkMe utilizes Amazon's top-tier secure cloud services
  • WalkMe's platform and infrastructure undergo routine pen-tests and are monitored continuously by dedicated teams
  • WalkMe complies with GDPR as a data processor in the provision of Walkme’s services to its customers and can make its Data Processing Addendum (DPA) available for execution

An Industry Standard

WalkMe is the digital adoption pioneer. Founded in 2011, WalkMe’s Digital Adoption Platform (DAP) is used by nearly two thousand companies worldwide, spanning all industries, platforms and sizes, including 30% of Fortune 500 companies in the cybersecurity, healthcare and financial sectors).

Hosting and Infrastructure

WalkMe’s Software-as-a-Service (SaaS) solution is available for both public and private clouds utilizing top-tier secure cloud services provided by Amazon and Akamai.

Compliance

WalkMe is ISO 27001:2013 certified for Information Security, SOC 2 certified to meet AICPA’s Trust Security Principals, rated Skyhigh Enterprise-Ready™, and has STAR Certification from the Cloud Security Alliance. The Digital Adoption Platform is also US-EU, US-Swiss Privacy Shield certified.

Penetration Tests and Monitoring

WalkMe’s front and back-end applications, as well as its IT infrastructure undergo routine annual pen-tests by independent companies. This is done in addition to Amazon AWS’s own independent tests, periodic internal tests, and 27/4 monitoring of security-related events by dedicated teams.

Certifications and Accreditations

Security

ISO 27001 Information Security Certification

WalkMe received the International Organization for Standardization Certification for Information Security (ISO 27001:2013). The audit evaluated WalkMe's information security management system from product, infrastructure and organizational aspects, and verified that WalkMe has the necessary information security controls in place to ensure the confidentiality, integrity and availability of sensitive information assets.

ISO 27017 Cloud Specific Controls
ISO 27017 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO 27002 and ISO 27001 standards. This standard provides additional information security controls implementation guidance specific to cloud service providers. WalkMe's attestation to the ISO 27017:2015 guidance demonstrates our ongoing commitment to align with globally-recognized best practices, and verifies that WalkMe has a system of highly precise controls in place that are specific to our cloud services.

ISO 27018 Personal data Protection (PII)
ISO 27018 is a standard that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud personally identifiable information (PII). It also provides a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set. Alignment demonstrates to customers that WalkMe has a system of controls in place that specifically addresses the privacy protection of their content. WalkMe's alignment (as verified by a third-party assessment) with this internationally recognized code of practice demonstrates WalkMe's commitment to the privacy and protection of customers' content. By following the standards of ISO/IEC 27001 and the code of practice embodied in ISO/IEC 27018:2014, WalkMe — the first Digital Adoption Platform to incorporate this standard — demonstrates that its privacy policies and procedures are robust and in line with its high codes of practice, namely:
WalkMe customers can know where their data is stored.
Customer data won’t be used for marketing or advertising without explicit consent.
WalkMe customers know what’s happening with their PII.
WalkMe will comply only with legally binding requests for disclosure of customer data.

ISO 27799 Security management in health (PHI)

ISO 27799 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls in health informatics of ISO/IEC 27002 and is a companion to that International Standard. ISO 27799 provides implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, WalkMe is able to ensure a high level of security that is appropriate to healthcare organizations and other custodians of health information and that will maintain the confidentiality, integrity and availability of personal health information in their care. At least once a year, WalkMe is audited for compliance with ISO 27799:2016 by an accredited third party certification body, providing independent validation that applicable security controls are in place and operating effectively. As part of this compliance verification process, the auditors validate in their statement of applicability that WalkMe has incorporated ISO 27799 controls for the Security management in health, ensuring that WalkMe protects its customers’ public health information (PHI). To remain compliant, WalkMe must be subject to annual third-party reviews.

ISO 27032 Guidelines for Cybersecurity
WalkMe is ISO/IEC 27032 certified for Guidelines for Cybersecurity. ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on information security, network security, internet security, and critical information infrastructure protection (CIIP) domains. By complying, WalkMe facilitates a secure and reliable collaboration that protects the privacy of our customers and helps to prepare, detect, monitor, and respond to cybersecurity incidents.

Service Organization Control 2 Type II - Security, Availability, & Confidentiality Report

WalkMe completed a Service Organization Control (SOC) 2 Type II audit, which is one of the most stringent international standards for security, availability, processing integrity, confidentiality and privacy. Our commitment to the SOC 2 Type II report is ongoing and periodic audits are performed on a regular basis.

Service Organization Control 3 Type II - General Controls Report
We have an SOC 3 Type II General Use Report, demonstrating that WalkMe has met the AICPA auditable trust services principles (security, availability, processing integrity, confidentiality and privacy), which is publicly available for free distribution without prior need for NDA. The report's primary purpose is to provide customers and users with a business need with an independent assessment of WalkMe's control environment relevant to system security, availability, and confidentiality, without disclosing WalkMe internal information. The report was performed under the SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria). Click here to download the report.

STAR Certification
WalkMe also achieved a STAR Certification from the Cloud Security Alliance (CSA). STAR Certification is an internationally-recognized cloud security certification program jointly developed by CSA and BSI, that specifies comprehensive and stringent cloud security requirements for software vendors.

Skyhigh CloudTrust™
WalkMe's Digital Adoption Platform was awarded the highest Skyhigh CloudTrust™ rating of Enterprise-Ready™ by fulfilling a comprehensive set of requirements for data protection, identity verification, service security, business practices, and legal protection.

FIPS 140-2 (Level 1)
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, we operate using FIPS 140-2 validated cryptographic modules.

Privacy

GDPR, Swiss/EU - U.S. Privacy Shield, HIPAA

WalkMe complies with GDPR as a data processor in the provision of Walkme’s services to its customers and can make its Data Processing Addendum (DPA) available for execution. In addition, we are devoted to helping our customers with their GDPR compliance processes by providing robust privacy and security protections built into our services and contracts.
By default, WalkMe does not collect personally identifiable information (PII) other than IP addresses in logs for security purposes, end-users’ approximate geolocation (country and city in which they are located) and masked IP addresses for the ongoing operation of the WalkMe system, and assigns collected metadata to anonymous random GUID. Moreover, WalkMe collects and transfers environment properties such as browser and OS, page URL, and title.
WalkMe is accredited with the EU/Swiss-US Privacy Shield Certification by complying with a set of strict privacy principles established by the American Department of Commerce in conjunction with the European Union, and verified by TrustArc (formerly known as TRUSTe; WalkMe is TrustArc certified for data privacy). These include giving proper notice and a choice to opt out when collecting personal data, transferring information to third-parties only if they comply with similar privacy standards, allowing customers to access and update their own information, maintaining integrity through the proper use of customer information, providing adequate security of information, and ensuring proper enforcement.
The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act set national standards for the privacy and security of electronically protected healthcare information. These standards ensure that WalkMe implements and adheres to all physical, network, and process security measures related to protected healthcare information.

Operations and Access Control

Service Models

Editor (Authoring\Admin Tool)

WalkMe’s typical SaaS model is set up on Amazon Web Services (AWS), with management servers located on Amazon EC2, and storage divided between Amazon RDS for secure data, and Amazon S3 for published content, which is distributed by Akamai CDN for fast download rates. WalkMe can store its files and data (the green elements in the diagram) on an internal server belonging to the customer, It can also deploy WalkMe’s servers (the blue elements in the diagram) on a separately dedicated AWS, and in some cases even deploy the entire system in the customer’s own datacenter.



Monitoring & Auditing

Intrusion Prevention and Detection

WalkMe has an extensive Security Information and Event Management system (SIEM), that collects security audit trail logs across infrastructure components in industry standard formats (CEF and Syslog) using an Intrusion Detection System and for analysis and control.

WalkMe’s SIEM alerts are based on comprehensive pre-defined scenarios, including identification of suspicious signs such as failed login attempts, logins from unknown and off-premise IP addresses or logins during off-hours.

SIEM alerts are monitored 24/7 by WalkMe’s Security Operations Center (SOC) team. The SIEM prioritizes all alerts, notifies WalkMe’s Security team in real time and escalates them according to severity.

Operations and Access Control Access Control

User Management and Permissions

WalkMe’s platform has an integrated, comprehensive role-based user management and enforcement system.
Assigning roles to users requires authorization from the relevant parties in WalkMe, and application permissions are granularly controlled per action and screen. Eight default roles are built into the platform, including: administrator, content creator, publisher, analytics access, etc.
WalkMe allows customers to control multiple platforms and deployments, delegate usage and administrative permissions for the interactive components and GUI elements deployed by WalkMe, while maintaining central management of the entire deployment cycle.

WalkMe’s internal corporate access control is centrally and manually managed based on strict need-to and least-privileged principles on all levels: Application (strong authentication), Network (segmentation, firewall), OS (access to servers), and Procedural (who’s authorized to review/approve code, manage changes, etc.).

All internal duties within WalkMe are segregated based on duties between R&D (code development), DevOps (deployment) and Security (security controls). Periodic access reviews are done quarterly by the security team, including but not limited to: firewall rules, user accounts permissions etc.

Conclusion

As the Digital Adoption Platform market leader, backed with an uncompromising commitment to security and privacy, WalkMe is trusted by nearly two thousand companies worldwide, including Fortune 500 cybersecurity, healthcare and financial enterprises. WalkMe makes sure to comply with corporate, governmental and international regulations, maintaining and abiding by the strictest requirements, regulations and security measures at all levels – from its staff, through infrastructure and down to the finest details of its products and procedures.