enterprise · single-tenant

A backend that passes vendor review.

SAML SSO, SCIM, SOC 2, dedicated cluster, TR-pin for KVKK. workeros's flexibility for engineering, contractual armor for legal and security.

Book a call → Security & compliance
SAML 2.0 SCIM 2.0 SOC 2 (in progress) GDPR · KVKK 99.99% SLA
vendor review — workeros 12 / 12
SSO (SAML 2.0) — Okta, AAD, GoogleP0
SCIM provisioning and deprovisioningP0
Encryption (in-transit + at-rest)P0
Audit log + IP allowlistP0
DPA (KVKK / GDPR compliant)P0
MSA — supports redlinesP1
Data residency — TR region pinP1
Pen-test report (annual)P1
Backup + DR planP1
Vendor security questionnaire (CAIQ)P2
Cyber insurance coverageP2
Vendor risk profile (low)P2
average vendor review — 11 business days 2026 Q1
enterprise pillars

Identity, compliance, isolation. A clear answer for each.

Identity

Connects to a single SSO provider; team members come from there. SCIM revokes access the moment IDP deprovisions.

  • SAML 2.0 — Okta · Azure AD · Google · JumpCloud · OneLogin
  • SCIM 2.0 user + group provisioning
  • JIT provisioning, IDP attribute mapping
  • Multi-IDP — separate provider per subsidiary
  • Workspace-level RBAC

Compliance

We know the vendor questionnaire — answers come in a package with redline-able contracts. CAIQ and pen-test report shared on NDA.

  • SOC 2 Type II (in progress, 2026 Q3)
  • GDPR — EU representative appointed
  • KVKK — TR resident entity, e-invoice, KVK Authority registered
  • DPA + SCC ready template
  • MSA supports redlines — 5 business days
  • Annual 3rd-party pen-test

Isolation

Single-tenant cluster — your own Cloudflare account + D1 + R2. KVKK? We pin primary to Istanbul; backups stay in TR.

  • Dedicated CF account + workeros instance
  • Region pin (IST, FRA, IAD, SYD, GRU)
  • Customer-managed encryption key (BYOK)
  • VPC-style access — IP allowlist + mTLS
  • Bring-your-own-domain — your own cert
SLA · credit policy

Numbers, not promises. Credits when missed.

99.99% uptime target. Every minute below earns automatic credit — no claim form needed.

Request sample SLA →
Uptime measured Credit Monthly bill discount
≥ 99.99%on target
99.95% – 99.99%10% credit-10%
99.90% – 99.95%25% credit-25%
< 99.90%50% credit-50%
measured by 1-minute external uptime probes · auto-applied end of month
process

From first call to production — 14 days.

01 day 0 – 1

Discovery call

30-min Zoom: use case, traffic volume, residency, compliance. We check whether you're migrating from another vendor.

02 day 1 – 5

Security packet

NDA → CAIQ, latest pen-test summary, architecture diagram, DPA + MSA templates. Legal redlines, we respond.

03 day 5 – 10

Pilot environment

Dedicated cluster spins up; SSO, IP allowlist, region pin, custom domain. 7-day free pilot.

04 day 10 – 14

Production + go-live

Contracts signed, Slack Connect channel opens, runbook delivered. Solution engineer pairs for the first month.

architecture

Per-tenant isolated layers.

Single-tenant cluster — own CF account, own D1, own R2. The only shared layer is workeros's control plane (read-only).

tenant plane · only you
WWorkers runtime
D1D1 pinned IST
R2R2 bucket BYOK
DODurable Objects realtime
NNeon Postgres optional
identity plane · your IDP
OOkta · AAD · Google
SAML 2.0 user auth
SCIM 2.0 provisioning
mTLS API → workeros
control plane · shared, read-only
Provisioning + billing
📊Uptime monitoring
🔄Migration jobs
no access to your data
contact

Let's talk first — then we'll talk tech.

30 minutes with a solution engineer. Demo, architecture review, price estimate, and a walkthrough of the security packet.

sales
sales@workeros.dev
security
security@workeros.dev
legal
legal@workeros.dev
office
İstanbul · Türkiye
Mecidiyeköy
avg response — 4 hours · Office hours: 09:00 – 19:00 TRT

Submitting accepts our Privacy Notice.