Security & Procurement

Built for the IT director's review.

Tenant isolation at the query layer, role-gated endpoints, encrypted credentials, and rate-limited public surfaces. Designed to clear procurement.

Security posture

Defense in depth, not a marketing badge.

domain

Multi-tenant isolation

Every organization is fully isolated. Tenant scoping is enforced at the query layer, not as an application convention. No shared state, ever.

badge

Role-based access control

Six built-in roles: Requestor, Technician, Contractor, Supervisor, Admin, Executive. Endpoints are role-gated; UIs hide what users cannot do.

key

Encrypted credentials

Per-organization API keys (OpenAI, integrations) are encrypted at rest. Falls back to server-level configuration if no tenant key is set.

lock

Encryption in transit

HTTPS-only across every surface. HSTS-eligible. Modern TLS, no legacy protocols.

shield

Public surface protection

reCAPTCHA v3 and IP rate limiting on the citizen portal and any public webhooks. HTML sanitization on all user-supplied input.

history

Audit trail

Every mutation, status change, assignment, comment, edit, is logged with user, timestamp, and source. Full replay per record.

AI data handling

How AI uses your data, precisely.

Buyers ask this first. The answer is short: AI calls are scoped, rate-limited, read-only for analytics, and never used to train a third party.

Scoped & org-isolated

  • Every AI call is scoped to the calling user's organization, no cross-tenant data exposure
  • The AI Assistant is read-only: it analyzes data, it does not modify it
  • Tenant-supplied OpenAI keys are honored when configured; otherwise platform keys are used

Rate-limited & tracked

  • Per-user rate limits (default 100 calls/hour) prevent runaway cost or abuse
  • Every AI call is logged with user, model, token usage, and outcome for audit
  • Cost-optimized models (GPT-5-mini) used for high-volume paths; flagship models for assistant & SOPs

What is sent to the model

  • Only the prompt context required for the task, not your entire database
  • Citizen PII (name, email, phone) is excluded from triage prompts unless required
  • Manufacturer PDFs you upload for SOP generation are sent only to extract structure

What is not

  • Your data is not used to train third-party models (per OpenAI API terms for paid plans)
  • The platform does not share tenant data across organizations, not for AI, not for benchmarking
  • You can disable AI features per-tenant if your jurisdiction prohibits them
Procurement

What procurement teams need.

description

Procurement-ready documentation

  • Security questionnaire responses (SIG-lite, CAIQ format)
  • Data Processing Addendum (DPA) on request
  • Standard MSA & SaaS subscription terms
  • Reference architecture & data-flow diagrams
  • Insurance certificates on request
handshake

Deployment & onboarding

  • Cloud-hosted SaaS, no servers to provision
  • Per-tenant subdomain or custom domain
  • Standard onboarding: divisions, roles, asset import in 2–4 weeks
  • You can start with one department and expand
  • CSV / ESRI import for existing assets & PMs
account_balance

Government-friendly licensing

  • Per-organization pricing, no per-seat surprises
  • Annual or monthly billing
  • State / municipal cooperative purchasing welcome
  • No-cost pilot programs for qualifying agencies
contact_support

Support & SLA

  • Direct line to engineering, no Tier 1 maze
  • Standard 99.9% uptime target
  • Status page for incidents & planned maintenance
  • Documented backup & restore procedures
Standards we align to

Familiar frameworks for IT review.

WorkmanIQ aligns its controls to recognized public-sector security frameworks. Formal certifications are added as the customer base requires.

verified NIST CSF aligned
verified OWASP ASVS practices
verified CJIS-aware design
verified SOC 2 roadmap

Need our security packet?

Send us your procurement requirements and we'll respond with the questionnaire, DPA, and reference architecture you need.

Request the packet arrow_forward