WalkMe Security

  • WalkMe is approved by the most extensive compliance standards
  • WalkMe utilizes Amazon's top-tier secure cloud services
  • WalkMe's platform and infrastructure undergo routine pen-tests and are monitored continuously by dedicated teams
  • WalkMe's solution is non obtrusive and does not collect, capture or use confidential data

An Industry Standard

WalkMe's Digital Adoption Platform (DAP) is used by over 1,000 companies worldwide, spanning all industries and sizes, including Fortune 500 cybersecurity, healthcare and financial enterprises.

Hosting and Infrastructure

WalkMe's Software-as-a-Service (SaaS) solution is available for both public and private clouds utilizing top-tier secure cloud services provided by Amazon and Akamai.

Compliance

WalkMe is ISO 27001:2013 certified for Information Security, SOC 2 certified to meet AICPA's Trust Security Principals, rated Skyhigh Enterprise-Ready, and has STAR Certification from the Cloud Security Alliance. The Digital Adoption Platform is also US-EU, US-Swiss Safe Harbor and Privacy Shield certified.

Penetration Tests and Monitoring

WalkMe's front and back-end applications, as well as its IT infrastructure undergo routine annual pen-tests by independent companies. This is done in addition to Amazon AWS's own independent tests, periodic internal tests, and 27/4 monitoring of security-related events by dedicated teams.

Certifications and Accreditations

Security

ISO 27001 Information Security Certification

WalkMe received the International Organization for Standardization Certification for Information Security (ISO 27001:2013). The audit evaluated WalkMe's information security management system from product, infrastructure and organizational aspects, and verified that WalkMe has the necessary information security controls in place to ensure the confidentiality, integrity and availability of sensitive information assets.

Service Organization Control Type II

WalkMe completes periodic Service Organization Control Type II (SOC2) audits - one of the most demanding and strict international standards for security, availability, processing integrity, confidentiality and privacy.

STAR Certification

WalkMe achieved the STAR Certification from the Cloud Security Alliance (CSA). The STAR Certification is an internationally recognized cloud security certification program jointly developed by CSA and BSI, specializing in comprehensive and stringent cloud security.

Skyhigh CloudTrust

WalkMe's Digital Adoption Platform was awarded the Skyhigh CloudTrust rating of Enterprise-Ready by fulfilling a comprehensive set of requirements for data protection, identity verification, service security, business practices, and legal protection.

FIPS 140-2 (Level 1)

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, we operate using FIPS 140-2 validated cryptographic modules.

Privacy

TRUSTe, Swiss/EU - U.S. Privacy Shield, GDPR

WalkMe's platform is certified under the Safe Harbor and Privacy Shield standards, providing a safe and regulated framework to transfer personal data from the EU to the US, including transmitting personal data from an AWS region in the European Economic Area (EEA) to one outside the EEA, in full compliance with EU data protection thanks to Amazon AWS's existing Data Processing Addendum, including Model Clauses (Data Processing Addendum) of which WalkMe is a signee.

We are at the final stages of complying with the GDPR and are working to establish the appropriate processes in place to help our customers (the controllers of the data) to comply with their obligations under the GDPR (such as providing the individual rights under the regulations if the customer chooses to process the data on the basis of data subject's consent as defined in the GDPR). In the meanwhile, WalkMe is certified under the EU-US privacy shield and has all the necessary processes in place to comply with the currently in force EU directive so using WalkMe for data subjects located in the EU shouldn't be a problem.

WalkMe is committed to the strictest obligations regarding the collection and processing of user data, and does not collect, accept, handle, process, receive, transmit or store any confidential, regulated, personal, private, sensitive, health or credit card information.

Architecture and Delivery

WalkMe Modules

Editor (Authoring\Admin Tool)

The WalkMe Editor is the central authoring and management tool used to create, maintain and deploy WalkMe's interactive components to digital platforms such as consumer websites and enterprise management systems. The Editor captures HTML elements' metadata and assigns them with WalkMe's interactive components. Once published, the Editor generates static JavaScript (JS) files that are usually hosted on WalkMe's Amazon Cloud, and distributed through WalkMe's Akamai CDN for rapid access.

The WalkMe Player is an independent software module in the form of a snippet code or browser extension, that overlays WalkMe's interactive components on top of websites and web-applications, and embeds WalkMe's interactive components into a workflow or funnel, to guide users and gauge their behavior.

Architecture and delivery schema

Operations and Access Control

Service Models

Editor (Authoring\Admin Tool)

WalkMe's typical SaaS model is set up on Amazon Web Services (AWS), with management servers located on Amazon EC2, and storage divided between Amazon RDS for secure data, and Amazon S3 for published content, which is distributed by Akamai CDN for fast download rates. WalkMe can store its files and data (the green elements in the diagram) on an internal server belonging to the customer, It can also deploy WalkMe's servers (the blue elements in the diagram) on a separately dedicated AWS, and in some cases even deploy the entire system in the customer's own datacenter.

Operations and Access Control Access Control

User Management and Permissions

WalkMe's platform has an integrated, comprehensive role-based user management and enforcement system.
Assigning roles to users requires authorization from the relevant parties in WalkMe, and application permissions are granularly controlled per action and screen. Eight default roles are built into the platform, including: administrator, content creator, publisher, analytics access, etc.
WalkMe allows customers to control multiple platforms and deployments, delegate usage and administrative permissions for the interactive components and GUI elements deployed by WalkMe, while maintaining central management of the entire deployment cycle.

Accountability and Security

Compartmentalization and Enforcement

WalkMe's internal corporate access control is centrally and manually managed based on strict need-to and least-privileged principles on all levels: Application (strong authentication), Network (segmentation, firewall), OS (access to servers), and Procedural (who's authorized to review/approve code, manage changes, etc.).

All internal duties within WalkMe are segregated based on duties between R&D (code development), DevOps (deployment) and Security (security controls). Periodic access reviews are done quarterly by the security team, including but not limited to: firewall rules, user accounts permissions etc.

Intrusion Prevention and Detection

WalkMe has an extensive Security Information and Event Management system (SIEM), that collects security audit trail logs across infrastructure components in industry standard formats (CEF and Syslog) using an Intrusion Detection System and for analysis and control.

WalkMe's SIEM alerts are based on comprehensive pre-defined scenarios, including identification of suspicious signs such as failed login attempts, logins from unknown and off-premise IP addresses or logins during off-hours.

SIEM alerts are monitored 24/7 by WalkMe's Security Operations Center (SOC) team. The SIEM prioritizes all alerts, notifies WalkMe's Security team in real time and escalates them according to severity.

Conclusion

As the Digital Adoption Platform market leader, backed with an uncompromising commitment to security and privacy, WalkMe is trusted by over a thousand companies worldwide, including Fortune 500 cybersecurity, healthcare and financial enterprises. WalkMe makes sure to comply with corporate, governmental and international regulations, maintaining and abiding by the strictest requirements, regulations and security measures at all levels - from its staff, through infrastructure and down to the finest details of its products and procedures.

WalkMe has received the most demanding international certifications in the industry, and offers its customers the ability to enforce corporate governance internally, while providing an overarching security umbrella - hosting WalkMe's infrastructure with top-tier cloud providers, actively monitoring customer security 24/7, and performing periodic independent pen-tests on WalkMe's platform and IT infrastructure.