GDPR-aligned data handling, an audit log on every entity, role-based access control, workspace-scoped encryption and SSO-ready architecture. Security is not an upsell.
Foundational controls applied to every account on every plan — not gated behind enterprise tiers.
Every create, update and delete is recorded with actor, before/after diff and IP — including a GDPR-relevant flag for compliance reporting.
RBAC v2 with a permissions catalog, scoped roles and team-aware assignments. Enforced in the database via row-level security policies.
Keys are SHA-256 hashed in the database, scoped to a single workspace, rotatable on demand and revocable instantly. No long-lived plaintext secrets.
Tiered rate limits on auth, AI calls, file uploads and webhook ingestion. Counters are persisted to survive cold starts.
TLS 1.2+ for every request. AES-256 at rest for the Postgres cluster, file storage and backups.
Production errors are captured, grouped and alerted on in real time, with PII scrubbing on the client and server SDKs.
Every entity table requires workspace_id. Service queries enforce it explicitly on top of RLS — two layers must agree before a row is returned.
Parent/child workspaces are fully isolated: separate data, separate branding, separate auth — no leakage between tenants.
GDPR, PEPPOL e-invoicing, PSD2 open banking — first-class, not retrofitted.
Built-in data export, deletion, retention and residency controls. Right-to-be-forgotten flows wired into the audit log.
EU electronic invoicing via two access-point providers (Peppox, Peppyrus). UBL 2.1 / PEPPOL BIS Billing 3.0.
PSD2-compliant feeds covering 18 European countries via Tink, Ponto and Salt Edge. Card payments through Stripe and Mollie.
Database, file storage and edge functions hosted in the EU. Data residency configurable per workspace.
The current list of third-party processors. We notify customers in advance of any material change.
Primary database, auth, storage, realtime (EU region)
Application hosting and edge network
Transactional email delivery
Programmable voice and SMS
Card payments and subscription billing
European card and SEPA payments
Error tracking and performance monitoring
Open banking (US & supported EU markets)
Open banking (EU)
Open banking (EU)
Open banking (Belgium / EU)
PEPPOL access point (e-invoicing)
PEPPOL access point (e-invoicing)
If you've found a security issue, please report it privately so we can fix it before it's exploited.
Email security@workestra.com with reproduction steps, affected endpoints and any proof-of-concept. We acknowledge reports within one business day and aim to triage within three. We do not currently run a paid bug bounty but credit researchers on request.
Please do not test against other customers' workspaces. A staging workspace can be provided on request for in-depth testing.
We share architecture diagrams, RLS policy walkthroughs and DPAs with prospective customers under NDA. Just ask.