Your time tracker knows a lot about your company. After all, it tracks your work hours, screenshots, payroll records, and project details. And you have every right to ask how it’s protected.
At WebWork, we protect your data at every layer, from the second it leaves your device to the day it’s deleted. Let’s go through those layers one by one.
Encryption While Your Data Travels
Every time you start the tracker, open a report, or log in, data travels between your device and our servers. Security teams call this data in motion, and it’s the first layer we protect.
All of that traffic is encrypted with SSL/TLS certificates issued by DigiCert, a globally trusted certificate authority. In practice, this means every connection to WebWork happens over HTTPS, whether you’re on the web app, the desktop tracker, or the mobile app. Your login credentials, tracked hours, and reports stay private on the way.
Our desktop and mobile apps communicate using TLS 1.2 and TLS 1.3, the current standards for encrypted connections. This is the same level of encryption banks and other financial institutions use to protect transactions.
Why encryption in transit matters?
It prevents eavesdropping, tampering, and man-in-the-middle attacks. In other words, no one sitting between your device and our servers can read or change your data.
You can find the full technical details, including our certificate information, on our data in motion page.
How We Store and Encrypt Your Data
Once your data reaches our servers, it becomes what security teams call data at rest. And data at rest has its own set of protections.
We store your data on secure cloud servers, including Amazon S3 and Contabo. Everything stored there is encrypted with AES-256, one of the strongest encryption standards available and the same one used across the financial and government sectors.
Even if someone somehow got hold of the stored files, they would see encrypted data, not your actual information.
Password Protection
Passwords get special treatment. We never store your actual password. Instead, it’s converted into a scrambled value through a one-way process that can’t be reversed. When you log in, we compare hash values, so your real password never sits in our database. This also protects against common attack methods like brute force attempts.
In 2024, we added another layer here: we separated our database servers from our application servers. The two now run in isolated environments, which means sensitive information is harder to reach and access to it is controlled much more tightly. Even if one part of the system is ever targeted, the data itself stays protected.
For a full breakdown of what we store, encrypt, and keep it, see our data at rest and retention page.
Extra Protection for Screenshots: Multi-Step Encryption
Screenshots are the most sensitive data a time tracker can hold. A single capture can include emails, client information, or even internal documents. So we built a dedicated security protocol for them: Multi-Step Encryption, developed by our own security team.
Here is how it works:
- Every screenshot gets a unique encryption token. No two files are protected the same way, so even in theory, there is no single key that could unlock everything.
- Each file then goes through a custom transformation using an algorithm our security team designed specifically for this purpose. This adds a layer of protection that doesn’t exist in standard encryption setups.
- Finally, the file is encrypted with AES-256-CBC, the industry-standard algorithm we also use for the rest of your stored data.
And there is one more layer on top of all that. Encrypted files are stored on Amazon Web Services with server-side encryption enabled, so AWS adds its own protection to files that are already encrypted multiple times.
The same protocol covers other media files too, including documents, receipts, and attachments your team uploads.
From the moment a file is created to the moment it’s deleted, it stays encrypted.
You can read the full protocol on our security innovations page.
Blocking Threats Before They Reach WebWork
A good amount of security work happens before any attack gets near your data. For this layer, we partner with Cloudflare, a global web security network that filters everything coming toward our platform.
Three of its protections do the heaviest lifting.
- DDoS protection keeps WebWork online even during attack-level traffic surges, so your team can keep tracking time without interruption.
- The Web Application Firewall blocks common attack methods like SQL injection and cross-site scripting before they reach our servers.
- And bot management separates malicious bots from genuine traffic, letting real users through while keeping automated threats out.
We also work with Intruder, a vulnerability scanning platform that continuously checks our websites, APIs, and infrastructure for weaknesses. It allows us to can fix issues before anyone can exploit them.
And with Drata, we track access across our systems, detect unauthorized activity, and monitor our compliance with security standards around the clock.
You can see all of our partners and what each one covers on the security partners page.
If you’d rather see the platform itself than read about its defenses, you can try WebWork free for 14 days — every protection in this article is already running on day one.
Who Can See What Inside Your Workspace
Encryption protects your data from outsiders while access controls decide what people inside your own workspace can see — and this layer matters just as much, especially for monitoring data.
In WebWork, access follows roles. Employees see only their own data: their hours, their activity, their screenshots. Team Managers can access data for the teams they oversee, and Project Managers see their own data plus the projects they manage. Full workspace access belongs only to the Owner and Executive Managers. There is also a Project Viewer role, which gives read-only access to assigned projects and is useful for clients or stakeholders who need visibility without edit rights.
If the default roles don’t match how your company works, the Member Types feature lets you build custom permission sets, so every member gets exactly the access their responsibilities require and nothing more.
This structure does real work for employee trust. When your team knows their monitoring data is visible only to the people who need it, introducing a time tracker becomes a much easier conversation.
In 2025, we strengthened this layer further with detailed audit logs. Actions in the workspace are now logged, so there is always a clear record of who did what and accountability works in both directions.
When Your Data Gets Deleted
Data protection also means that your data doesn’t stay around forever. Every piece of information in WebWork has a defined end point.
We delete screenshots automatically after 3, 6, or 12 months, depending on your package. You don’t have to wait for that, though, as you can delete screenshots and other media files manually at any time. And our automated processes remove files as soon as their retention period expires.
The same principle applies to your account as a whole. If you stop using WebWork for 6 consecutive months, we permanently delete your personal and workspace data.
And under GDPR, you have the right to request deletion of your data at any moment.
If you want the exact retention period for every data type we store, from invoices to chat files, our data at rest and retention page lists each one.
Compliance: GDPR, HIPAA, and CCPA
Along with technical protection, WebWork offers legal protection as well. WebWork complies with GDPR, HIPAA, and CCPA, and here is what each of those means for you.
GDPR
GDPR compliance means we collect, process, and store your data according to the EU’s data protection requirements, including your right to have your data deleted whenever you request it. If your company works with European clients or team members, WebWork already meets the standard they expect.
HIPAA
HIPAA compliance opens WebWork to healthcare teams. We’ve implemented the administrative, physical, and technical safeguards HIPAA requires for protected health information, and we work only with HIPAA-compliant third-party services. If your organization handles patient data, you can track time without creating a compliance gap.
CCPA
CCPA gives California residents the right to know what categories of personal information we collect, to access that data, and to request its deletion. We collect only what’s necessary to provide our services in the first place.
Two commitments apply across all of these. We do not sell, rent, or trade your personal data to anyone, under any circumstances. And we do not collect or process sensitive data categories like biometric data, religious beliefs, political opinions, or health information.
We monitor our security protocols, system performance, and service availability 24/7/365. On top of that continuous monitoring, we regularly audit our systems for vulnerabilities and run penetration tests, where security specialists actively try to break in so we can find weaknesses before anyone else does. Automated security tests run alongside all of this to keep standards consistent.
We also document this work publicly. Our security updates page records the improvements we make year by year. For example, upgraded code signing certificates and API security in 2023 and database server segregation in 2024 and stronger media file protection in 2025. You can see exactly what changed and when, instead of taking our word for it.
And if you ever notice something that concerns you, let us know. Use the Share a Concern button in our Security page or at the bottom of your dashboard. Security feedback from our users has genuine value, and we treat it that way.
Try WebWork for Free for 14 Days
