Security

Security is a first-class concern at Walk Tools. Field teams trust us with inspection photos, site notes, and proprietary asset data. We take that responsibility seriously and apply multiple layers of technical and organizational controls to protect your information at every stage.

The Walk Tools platform runs on Amazon Web Services (AWS) in the us-east-1 and us-west-2 regions, with automated failover and cross-region backup replication. All infrastructure is provisioned and managed using infrastructure-as-code with change management controls.

• Isolated virtual private cloud (VPC) with strict network segmentation.
• No direct public internet access to application servers or databases.
• Web application firewall (WAF) and DDoS mitigation at the edge.
• Automated vulnerability scanning of all deployed container images.

All data is encrypted in transit and at rest:

• In transit. All connections to Walk Tools are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and HSTS with long-duration max-age headers.
• At rest. Customer data — including photos, notes, and reports — is encrypted at rest using AES-256. Encryption keys are managed via AWS Key Management Service (KMS) with automatic key rotation.
• Database. Application databases use encryption at the storage layer and are not directly accessible from the public internet.

Access to customer data is restricted to authorized personnel and governed by role-based access control (RBAC):

• Production systems are accessible only via VPN with MFA required.
• Engineers do not have standing access to production databases. Access is granted on a just-in-time basis with full audit logging.
• All internal access events are logged and reviewed. Logs are stored in a separate, tamper-evident log store.
• Customer accounts support team-level access controls: administrators can invite members, assign roles, and revoke access at any time.

• All employees complete security awareness training upon joining and annually thereafter.
• Background checks are performed for employees who may have access to production systems.
• All employee devices are enrolled in mobile device management (MDM) with full-disk encryption, remote wipe capability, and automatic OS updates enforced.
• Phishing simulation exercises are conducted quarterly to maintain security awareness.

• All code changes require peer review before merging. Security-sensitive changes require additional sign-off from the security team.
• Static analysis (SAST) and dependency vulnerability scanning run automatically on every pull request.
• Passwords are hashed using bcrypt with a high work factor. We do not store plaintext passwords at any point.
• Session tokens are rotated on login and invalidated on logout. Idle sessions expire after 30 days of inactivity.
• API rate limiting is enforced on all authenticated and unauthenticated endpoints.

We commission independent third-party penetration tests at least annually, targeting the web application, mobile clients, and underlying API. Critical and high-severity findings are remediated within 30 days of the report. We also run an ongoing private bug bounty program with vetted security researchers.

Walk Tools is pursuing SOC 2 Type II certification, which audits our security, availability, and confidentiality controls against the AICPA Trust Services Criteria. Enterprise customers may request access to our current audit report under NDA.

Data processing agreements (DPAs) are available for customers subject to GDPR or CCPA. Contact legal@walktools.com to request a DPA.

We maintain a documented incident response plan that is tested annually. In the event of a confirmed breach affecting customer data, we will notify affected customers within 72 hours of becoming aware of the incident, in accordance with applicable law. Notifications will include the nature of the incident, data affected, steps taken to contain it, and recommended actions for customers.

If you discover a potential security vulnerability in the Walk Tools platform, please report it responsibly to security@walktools.com. Please include a description of the issue, steps to reproduce it, and potential impact. We will acknowledge your report within 2 business days and keep you updated on our progress. We ask that you give us 90 days to remediate before public disclosure.

Walk Tools, Inc. · Security Team · security@walktools.com