Blog / March 04, 2020

Moveworks achieves ISO 27001 certification

Vaibhav Nivargi, CTO

Kyle Hirai, Head of IT & Security


Great news! Moveworks has been certified under ISO 27001. 

ISO 27001 is a leading global standard for building a secure organization — one that guards both its corporate and customer assets against loss and unauthorized use. For Moveworks to become certified, an independent audit firm rigorously reviewed our approach to protecting the integrity of our organization and systems, as well as our measures to guard the confidentiality of the customer data with which we’ve been entrusted. In short, our ISO 27001 certification shows that Moveworks follows industry-leading practices to keep your information safe and to react effectively at the first sign of a security issue.

enterprise grade security iso

ISO 27001 certification marks a significant step in the security and compliance component of the Moveworks service, which has been integral to our company’s DNA from the very beginning. Most organizations take years to get certified — often overhauling their entire digital infrastructure in the process. But Moveworks managed to earn its certification just ten months after coming out of stealth mode, in large part because we’d structured not only our technical infrastructure but also our organization as a whole for robust security. 

AI security culture 

At a time when security breaches have become so frequent that we take them for granted, Moveworks views data protection as the critical foundation of our digital world. We believe that those who use online services should have the confidence to assume data privacy is a given — not a new source of risk. That’s why every single Moveworks employee and contractor undergoes comprehensive security training, while our leadership ensures all team members adhere to the Moveworks Information Security Management System, which enumerates internationally accepted best practices for data protection.

In addition, we’ve embraced several measures to comply with stringent data protection laws like GDPR and CCPA: for example, we grant data access only to those employees who need it and retain customer data for a limited time. Security is a primary consideration in every decision we make — not just for our technical teams but across the company — because businesses simply cannot succeed without the trust of their customers. 

AI security architecture 

The same logic applies to our array of best-in-class controls that ensure the confidentiality and integrity of customer data at all access points, since no digital infrastructure is immune to human error and malicious cyber-attacks. Sensitive information — including customer conversations, system keys, and tokens — is encrypted in transit and at rest. Moveworks stores encryption keys securely and rotates them periodically.

When it comes to our internal technology stack, we institute mandatory two-factor authentication for all employees on all applications where it is supported. And before deciding to implement a new third-party cloud service, we assess the type of data that would be stored there, as well as that vendor’s security practices to ensure they meet our high standards.

AI security readiness

Moveworks’ security readiness and vulnerability management efforts span our product lifecycle, from security-focused design reviews to external and internal security testing. During the product planning and design phase, we consider the potential security risks associated with each product or feature, including enhancements to our product’s cloud environment or a new system integration. We conduct biannual, third-party penetration tests and vulnerability scans on all such changes to our technology — always with an eye on eliminating risk and reinforcing our defenses against likely attack vectors.

Moveworks provides clear communication and fast handling of security events, as set forth in the Moveworks Incident Response Policy. Our state-of-the-art security stack detects potential incidents, allowing the Moveworks security team to respond quickly. We continuously evaluate our procedures and systems to keep pace with changes in the threat landscape.

An ongoing journey

Running a secure service has been a top focus of the Moveworks leadership and team since the company was founded, and we're pleased to have achieved ISO 27001 certification quickly as a result. But while this milestone validates our commitment to the integrity of the processes, people, and technology that power our machine learning platform, it has only inspired us to accelerate our security-related efforts moving forward. 

Indeed, getting ISO 27001 certified was just one of many pit stops on the security roadmap we created early on in our company’s journey. Among the future goals on that roadmap are SOC 2 compliance — Type 1 and Type 2 — as well as compliance with sector-specific regulations like HIPAA and FedRAMP.

Thank you for your continued support. To learn more, please contact us at

Table of contents

Subscribe to our Insights blog