Security
Data Centre Security
WorkMobile is hosted on Microsoft Azure, a global cloud platform with a defence-in-depth approach to data centre security. Azure facilities are purpose-built and nondescript, with perimeter fencing, professional 24/7 security officers, continuous CCTV monitoring and intrusion detection. Physical access is tightly controlled through pre-approved access requests, and movement inside requires two-factor authentication with biometrics; highly sensitive areas demand additional checks. Entry to data hall floors involves screening and server racks are camera-monitored front and back. Azure’s private backbone also adds protection with default data-link-layer encryption for traffic within and between regions. 
Microsoft maintains an extensive set of independent audits and attestations for Azure, including ISO/IEC 27001, PCI DSS v4.0 Service Provider Level 1, and SOC 1/2/3 reports. Customers can review audit artifacts and certificates via Microsoft’s Service Trust Portal, and explore the full list of Azure compliance offerings in the Azure Compliance documentation.
Data Encryption in Transit and at Rest
All data sent to and from our Webservers and across the mobile infrastructure is via SSL3.0/TLS 2.1 (TLS_RSA_WITH_AES_128_CBC_SHA), with certificates provided by Verisign, we ensure that your data is kept secure whilst transmitted across the public network. Data at rest is stored encrypted rest onec it arrives within our infrastructure.
Backup and Availability
WorkMobile runs on Microsoft Azure SQL Managed Instance, giving built-in high availability and automatic backups. It’s designed for 99.99% uptime and fast recovery if there’s ever an issue.
All media lives in Azure Blob Storage with multiple copies kept by default. For extra resilience, data can also be replicated across separate UK regions, so a hardware fault doesn’t mean data loss.
Azure handles operating-system and database security updates for us. We set maintenance windows so updates happen predictably and with minimal service impact.
We target a 30-minute Recovery Point Objective. If needed, we can roll databases and media back to a precise point in time within the configured retention period.
Application Security
We treat application security as a first-class feature—baked into design, build and operations—so risks are reduced early and resilience is part of the product, not an afterthought.
We use a Secure Software Development Lifecycle with peer code reviews and automated security tests and
run regular independent penetration tests and ongoing vulnerability scans, so weaknesses are identified proactively and addressed before attackers can exploit them.
Governance
We’re Cyber Essentials certified, a UK government-backed assurance that our defences meet the scheme’s five core controls (firewalls, secure configuration, access control, malware protection and security-update management). This certification demonstrates we protect against the most common online threats and gives customers and partners confidence in our security posture; it’s renewed annually to keep pace with changing risks.