Security audits and certifications

Passwork's security is checked by independent third parties. This page lists the external audits and certifications we hold, with dates, the firms behind them, and links to the results. Security and procurement teams can complete their due diligence here.

Certifications

Certified

ISO/IEC 27001:2022

Information security management system certification

Passwork holds ISO/IEC 27001:2022 certification, the international standard for information security management. An accredited certification body assessed our information security management system against the standard's requirements and controls. The certificate can be verified by anyone through the IAF CertSearch global database.

  • Standard: ISO/IEC 27001:2022
  • Certification body: MSECB
  • Certificate issued: 2025-05-07
  • Valid until: 2028-05-06
  • Certificate number: CERT-001724
  • Publicly announced: June 2025
Verify the certificate on IAF CertSearch

Penetration testing

Certified

HackerOne penetration test

Independent penetration test

HackerOne, a leading platform for coordinated security testing and bug bounty programs, ran an independent penetration test of Passwork. The test examined how the product stores and protects data and how it holds up against current attack methods.

  • Type: Penetration test
  • Performed by: HackerOne
  • Results published: July 2025

Scope of the test

  • Secure data handling

    How sensitive data is stored, transmitted, and protected.

  • Web vulnerabilities

    A check against the OWASP Top 10 and SANS Top 25.

  • Authentication and authorization

    Login processes, session management, and access control.

  • API security and access control

    Endpoint validation and protection against unauthorized or malicious requests.

  • Incident detection and response

    Detecting, responding to, and recovering from security incidents.

  • Resilience against targeted attacks

    Defenses against advanced persistent threats.

Read the pentest results

Upcoming

We commission new audits as Passwork develops. The assessments below are planned. This page will be updated with the firm, date, and report for each one once it is complete.

  • Planned

    Software composition analysis (SCA)

    An independent review of the third-party and open-source components Passwork depends on, checked against known vulnerabilities.

  • Planned

    Source code audit

    An external review of the Passwork source code by a specialist security firm.

Due diligence resources

More detail on how Passwork is built and secured: