WalkMe Security

  • WalkMe meets the most extensive compliance standards
  • WalkMe utilizes Amazon's top-tier secure cloud services
  • WalkMe's platform and infrastructure undergo routine pen-tests and are monitored continuously by dedicated teams
  • WalkMe complies with GDPR as a data processor in the provision of Walkme’s services to its customers and can make its Data Processing Addendum (DPA) available for execution

An Industry Standard

WalkMe is the digital adoption pioneer. Founded in 2011, WalkMe’s Digital Adoption Platform (DAP) is used by more than one thousand companies worldwide, spanning all industries, platforms and sizes, including 20% of Fortune 500 companies (in the cybersecurity, healthcare and financial sectors).

Hosting and Infrastructure

WalkMe’s Software-as-a-Service (SaaS) solution is available for both public and private clouds utilizing top-tier secure cloud services provided by Amazon and Akamai.

Compliance

WalkMe is ISO 27001:2013 certified for Information Security, SOC 2 certified to meet AICPA’s Trust Security Principals, rated Skyhigh Enterprise-Ready™, and has STAR Certification from the Cloud Security Alliance. The Digital Adoption Platform is also US-EU, US-Swiss Privacy Shield certified.

Penetration Tests and Monitoring

WalkMe’s front and back-end applications, as well as its IT infrastructure undergo routine annual pen-tests by independent companies. This is done in addition to Amazon AWS’s own independent tests, periodic internal tests, and 27/4 monitoring of security-related events by dedicated teams.

Certifications and Accreditations

Security

ISO 27001 Information Security Certification

WalkMe received the International Organization for Standardization Certification for Information Security (ISO 27001:2013). The audit evaluated WalkMe's information security management system from product, infrastructure and organizational aspects, and verified that WalkMe has the necessary information security controls in place to ensure the confidentiality, integrity and availability of sensitive information assets.

Service Organization Control Type II

WalkMe completed a Service Organization Control (SOC) 2 Type II audit, which is one of the most stringent international standards for security, availability, processing integrity, confidentiality and privacy.

STAR Certification

WalkMe also achieved a STAR Certification from the Cloud Security Alliance (CSA). STAR Certification is an internationally-recognized cloud security certification program jointly developed by CSA and BSI, that specifies comprehensive and stringent cloud security requirements for software vendors.

Skyhigh CloudTrust

WalkMe's Digital Adoption Platform was awarded the Skyhigh CloudTrust rating of Enterprise-Ready by fulfilling a comprehensive set of requirements for data protection, identity verification, service security, business practices, and legal protection.

FIPS 140-2 (Level 1)

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, we operate using FIPS 140-2 validated cryptographic modules.

Privacy

TRUSTe, Swiss/EU - U.S. Privacy Shield, GDPR

WalkMe is accredited with the EU/Swiss-US Privacy Shield Certification by complying with a set of strict privacy principles established by the American Department of Commerce in conjunction with the European Union, and verified by TRUSTe (WalkMe is TRUSTe certified for data privacy). These include giving proper notice and a choice to opt out when collecting personal data, transferring information to third-parties only if they comply with similar privacy standards, allowing customers to access and update their own information, maintaining integrity through the proper use of customer information, providing adequate security of information, and ensuring proper enforcement.

WalkMe complies with GDPR as a data processor in the provision of Walkme’s services to its customers and can make its Data Processing Addendum (DPA) available for execution. In addition, we are devoted to helping our customers with their GDPR compliance processes by providing robust privacy and security protections built into our services and contracts.

By default, WalkMe does not collect personally identifiable information (PII) other than IP addresses in logs for security purposes, End Users’ geolocation (country and city in which they are located) and masked IP addresses for the ongoing operation of the WalkMe System, and assigns collected metadata to anonymous random GUID. Moreover, WalkMe collects and transfers environment properties such as browser and OS, page URL, and title.

Operations and Access Control

Service Models

Editor (Authoring\Admin Tool)

WalkMe’s typical SaaS model is set up on Amazon Web Services (AWS), with management servers located on Amazon EC2, and storage divided between Amazon RDS for secure data, and Amazon S3 for published content, which is distributed by Akamai CDN for fast download rates. WalkMe can store its files and data (the green elements in the diagram) on an internal server belonging to the customer, It can also deploy WalkMe’s servers (the blue elements in the diagram) on a separately dedicated AWS, and in some cases even deploy the entire system in the customer’s own datacenter.



Monitoring & Auditing

Intrusion Prevention and Detection

WalkMe has an extensive Security Information and Event Management system (SIEM), that collects security audit trail logs across infrastructure components in industry standard formats (CEF and Syslog) using an Intrusion Detection System and for analysis and control.

WalkMe’s SIEM alerts are based on comprehensive pre-defined scenarios, including identification of suspicious signs such as failed login attempts, logins from unknown and off-premise IP addresses or logins during off-hours.

SIEM alerts are monitored 24/7 by WalkMe’s Security Operations Center (SOC) team. The SIEM prioritizes all alerts, notifies WalkMe’s Security team in real time and escalates them according to severity.

Operations and Access Control Access Control

User Management and Permissions

WalkMe’s platform has an integrated, comprehensive role-based user management and enforcement system.
Assigning roles to users requires authorization from the relevant parties in WalkMe, and application permissions are granularly controlled per action and screen. Eight default roles are built into the platform, including: administrator, content creator, publisher, analytics access, etc.
WalkMe allows customers to control multiple platforms and deployments, delegate usage and administrative permissions for the interactive components and GUI elements deployed by WalkMe, while maintaining central management of the entire deployment cycle.

WalkMe’s internal corporate access control is centrally and manually managed based on strict need-to and least-privileged principles on all levels: Application (strong authentication), Network (segmentation, firewall), OS (access to servers), and Procedural (who’s authorized to review/approve code, manage changes, etc.).

All internal duties within WalkMe are segregated based on duties between R&D (code development), DevOps (deployment) and Security (security controls). Periodic access reviews are done quarterly by the security team, including but not limited to: firewall rules, user accounts permissions etc.

Conclusion

As the Digital Adoption Platform market leader, backed with an uncompromising commitment to security and privacy, WalkMe is trusted by over a thousand companies worldwide, including Fortune 500 cybersecurity, healthcare and financial enterprises. WalkMe makes sure to comply with corporate, governmental and international regulations, maintaining and abiding by the strictest requirements, regulations and security measures at all levels – from its staff, through infrastructure and down to the finest details of its products and procedures.

WalkMe has received the most demanding international certifications in the industry, and offers its customers the ability to enforce corporate governance internally, while providing an overarching security umbrella – hosting WalkMe’s infrastructure with top-tier cloud providers, actively monitoring customer security 24/7, and performing periodic independent pen-tests on WalkMe’s platform and IT infrastructure.

Our site and services use cookies. By continuing to use our site or services you are agreeing to our Privacy and Cookie Policy available here CONTINUE