Security Overview

Last updated: April 19, 2026

1. Purpose

This page provides a practical summary of the current security baseline for WorkStudio.Online. It is intended as a trust and due-diligence aid, not as a promise of perfect security or a substitute for the full legal documents.

2. Service Model

WorkStudio.Online is a browser-based software service that supports personal, company, and project work across documents, tables, planning, files, workspace layouts, workflow support, and forum collaboration.

3. Current Security Baseline

• HTTPS in production: the current operational baseline requires HTTPS-only production use.
• Password hashing: account passwords are stored as password hashes, not plaintext.
• Session protection: session cookies are configured as HttpOnly, use SameSite=Lax, and are marked Secure when HTTPS is detected.
• Request protection: POST endpoints require a CSRF token.
• Rate limiting: sensitive flows such as login, password recovery, activation resend, and selected admin actions are rate-limited.
• Operational logging: WorkStudio maintains audit and activity logs for security-relevant and operational events.
• Context-aware storage: service-side storage is resolved by personal, company, and project context.

4. Data Handling and Cloud Scope

WorkStudio processes account data, content and file data, document metadata, security and access data, usage and operational logging data, support communications, and billing-related service data received through Paddle.

WorkStudio public privacy documentation currently states that the service is hosted on Google Cloud Platform infrastructure in Europe.

5. Providers Used To Operate The Service

• Google Cloud Platform: hosting and infrastructure.
• Paddle: checkout, invoicing, billing, and tax handling as merchant of record.
• Brevo: transactional email delivery.
• Namecheap: mailbox hosting or routing for support contact paths.
• OpenAI: optional AI-backed features used inside the service.

6. Backup and Recovery Position

WorkStudio maintains backup and restore procedures for core service data and is expanding its launch evidence set for wider platform backup coverage and restore-drill verification.

7. Shared Responsibility

WorkStudio is responsible for the hosted service, service-side access and request controls, server-side storage handling, logging, and supporting provider management. Customers remain responsible for securing their own endpoint devices, managing their own invited users, and deciding what content and personal data they upload or process through the service.

8. Incident and Status Communication

If a material service-wide incident or planned maintenance event needs to be communicated publicly, updates are intended to appear on the Status page. Privacy, billing, legal, and account-specific matters should be sent to mail@workstudio.online.

9. Related Documents

Read this page together with our Privacy Policy, Data Processing Addendum (DPA), Support Policy, Legal Notice, and Status page.