Public Monthly Procedures

Last updated: May 29, 2026

Purpose

These public procedures explain how WorkStudio prepares monthly transparency reports for users and interested parties. The goal is to show what assurance work is performed each month in a clear, safe, and non-technical way.

Public Report Rule

The public monthly report is a transparency artifact, not the internal operating evidence record. It summarizes outcomes and review status while the detailed evidence pack remains private.

Monthly Checks Performed Before The Report

1. Knowledge Hub reference review: help articles and public guidance references are checked for items that may have changed.
2. AI-assisted internal white-box security review: the current codebase and recent security-sensitive changes are reviewed from a code-aware perspective.
3. AI-assisted internal grey-box security test: a controlled normal-user test is performed using owned platform assets.
4. Encrypted backup download confirmation: the monthly off-provider backup handling step is confirmed.
5. Server file integrity review: the server file inventory is compared with the expected baseline.
6. CSP report-only review: browser Content-Security-Policy reports are reviewed before stricter enforcement decisions.
7. Admin access and MFA review: privileged accounts are reviewed and multi-factor authentication coverage is confirmed.
8. Restore drill confirmation: at least one relevant restore drill is confirmed or an exception is recorded.

Public Report Preparation

1. Complete the internal monthly report and monthly evidence checks.
2. Confirm which checks were performed, which checks need follow-up, and which checks were not applicable.
3. Convert internal check results to public-safe statuses: performed, performed with follow-up, not performed, or not applicable.
4. Convert detailed internal notes into user-friendly summaries.
5. Publish only high-level summaries and public-safe trends.
6. Keep internal evidence private unless a separate disclosure decision is made.

Public-Safe Content

• General availability and status position.
• Whether monthly backup, restore, security, access, evidence, and reference reviews were performed.
• Broad percentage-style activity trends, if approved.
• Public incident summaries, if any.
• High-level improvement themes.

Prohibited Content

Public reports must not expose information that could identify users, customers, internal systems, or security-sensitive details.

• Personal emails, account IDs, IP addresses, session IDs, workspace IDs, project IDs, or customer names.
• Internal file paths, backup object names, bucket names, file hashes, command lines, raw logs, or evidence filenames.
• Vulnerability details, exploit steps, CSP violation URLs, rate-limit details, or file-integrity findings.
• Supplier account details, control-panel details, DNS secrets, API keys, or private dependency notes.

Related

Return to the Trust Center or read the latest public monthly report.