Skip to main content
Windmill maintains enterprise-grade security measures and compliance certifications to protect your organization’s data.

SOC 2 Type 2 compliance

Windmill is SOC 2 Type 2 Compliant. This certification demonstrates our commitment to maintaining high standards for security, availability, and confidentiality. The full SOC 2 report is available upon request—reach out to support@gowindmill.com to receive a copy.
SOC 2 Type 2 certification means an independent auditor has verified our security controls over an extended period, not just at a single point in time.

Security measures

Encryption at rest All data stored in Windmill is encrypted at rest. This helps protect sensitive data, including employee records, feedback, and activity data from your connected systems. Encryption in transit All data transmitted between Windmill and your browser, as well as between Windmill and integrated services, is encrypted using industry-standard TLS protocols. Strict permissions enforcement Windmill only shows you information you already have permission to access in the source application. This means we mirror the access controls from your connected systems—if you can’t see it in Slack or Google Drive, you can’t see it in Windmill. Cookie policy Windmill has a cookie policy in place to manage how our site tracks and stores data. You can review our full cookie policy on our website.

Admin access and permissions

Integration management Only Admins are allowed to create or manage Integrations in Windmill. This ensures centralized control over which systems are connected and what data is accessible. Required permissions by integration To connect systems to Windmill, you’ll need specific permissions for each integration: HRIS
  • BambooHR - Bamboo Administrator role
  • ADP - HR Admin or Super User
  • Paylocity - Company administrator
  • Gusto - Full Access administrator role
  • Justworks - Admin role
  • Rippling - Admin access
Support tools
  • Front - Company administrator
  • Zendesk - Administrator or Account Owner role
CRM
  • Salesforce - Administrator role and your Salesforce Instance URL
  • HubSpot - Admin role and your HubSpot Instance URL
Project management
  • Jira - No explicit permission required, just a Jira account
  • Linear - Administrator role
  • Asana - Administrator role
  • GitHub - Owner or Manager role
  • Notion - Notion admin
Meetings and communications
  • Google Workspace - Must be a Google Workspace Admin
  • Zoom - Zoom account owner
  • Slack - Ability to connect Slack to third-party applications and install Slack apps
  • Roam - Administrator role
If you’re unsure whether you have the right permissions, contact your IT team or system administrator before attempting to connect an integration.

Access tiers

Windmill provides different access levels to ensure the right people can see the right information: Admin - Full access to all settings, connections, and team data Manager - Access to their direct reports’ data and team insights Individual contributor - Access to only their own data and feedback These tiers ensure that sensitive information is only visible to authorized personnel based on your org chart structure.

Additional resources

For more information about security and compliance:

FAQs

Windmill uses AES-256 encryption for all data at rest. This encryption is applied to all database instances, cache volumes, and automated backups. All encryption keys are managed through AWS Key Management Service (KMS).
All data transmitted to and from Windmill is encrypted using TLS 1.2 or higher. This includes all external communications (such as your browser and API calls to integrated services) and all internal service and infrastructure communication.
Windmill’s infrastructure is hosted in Amazon Web Services (AWS) datacenters in the United States.
Windmill undergoes regular security assessments including: - Annual SOC 2 Type 2 audits by independent third-party auditors - Automated vulnerability scanning of our application and infrastructure - Penetration testing conducted by external security firms - Code security reviews as a core part of our SDLC. Results from these assessments inform our security roadmap and continuous improvement efforts.