Lightweight on purpose. Built to pass IT review.
Work Buddy Program is designed to slot into education, non-profits, and large public-sector organizations without becoming another heavy SaaS dependency. Every program is scoped to a single room, participation is email-less by default, and the security and AI posture is documented in plain language for the people doing the review.
The mechanics
Participants join a room with a hyperlink and a display name — no email, no password, no account. Facilitators authenticate so they can come back across devices.
Hyperlink invites
Facilitators share a link. Participants join by name. No mailing lists, no inbox onboarding, no password resets to defend against.
Room-scoped data
Each program lives at /r/{slug} as an isolated dataset. Pairings, bingo, points, and the connection map never cross room boundaries.
Anonymous by default
Participants join with just a display name — no email, no account. Facilitators sign in so the room can be managed from any device and lifecycle emails can reach them.
Server-enforced isolation
Row-level security on the backend enforces room boundaries — not just the UI. All traffic is encrypted over HTTPS/TLS.
Ephemeral by design
Free rooms auto-delete after 30 days of inactivity, with a 7-day warning email so facilitators can keep or remove them. Pro and Enterprise rooms persist for the life of the subscription with configurable retention.
AI that stays in the room
When AI features are enabled, they only see data inside that single room and only produce summary signals. Customer data is never used to train models.
Security guarantees by tier
Each tier inherits everything below it. Open a brief for the long-form details written for IT and security reviewers.
Free
Email-less participation, facilitator-bound rooms.
- Anonymous participants — no email needed to join
- Rooms bound to the facilitator's account
- Per-room data isolation (server-enforced)
- Auto-delete after 30 days of inactivity (7-day warning email)
- HTTPS/TLS everywhere
Pro
Persistent, cross-device, accountable.
- Everything in Free
- Facilitator account binding (cross-device)
- Persistent cloud-backed storage with backups
- Role-based access within a room
- Facilitator email is the only PII collected
Enterprise
SSO, audit, DPA — ready for procurement.
- Everything in Pro
- SAML / OIDC single sign-on
- Audit logs & configurable data retention
- Self-serve export & delete
- DPA, MSA, and security questionnaire on request
Our AI statement
Work Buddy Program is intentionally lightweight and ephemeral — designed to slot into education, non-profits, and large public entities without becoming another heavy SaaS dependency. Where we use AI, we use it narrowly and transparently.
- AI features only operate on the data inside a single room — never across rooms, never across customers.
- Only aggregate signals are produced: sentiment summaries, themes, participation stats. Raw participant content is not exposed back to facilitators in ways it wasn't already.
- No customer data is used to train foundation models. Calls go through a managed gateway with no-training terms.
- Because participation is email-less by default, AI prompts contain no participant PII.
- AI features are opt-in and can be disabled per room by the facilitator at any time.
- No third-party advertising trackers, no participant profiling, no resale of any data.
Security review summary
A descriptive, plain-language summary intended for IT, security, and procurement reviewers. Copy the full text into a vendor questionnaire, ticket, or email and forward it as-is — it references workbuddyprogram.com and includes everything below in prose form.
- Transport
- All traffic to and from workbuddyprogram.com is encrypted over HTTPS/TLS, including page loads, API calls, and asset delivery.
- Authentication
- Only facilitators authenticate. Participants join through a per-room hyperlink and a chosen display name — no participant account, password, or email is required.
- Authorization
- Each program lives at /r/{slug} as an isolated dataset, with row-level security enforced server-side so a request scoped to one room can never read or write another room's data.
- PII minimization
- Participants never provide email addresses. Facilitators sign in with an email (or SSO on Enterprise); no participant PII is collected.
- Data retention
- Free rooms are auto-deleted after 30 days of inactivity, with an email warning to facilitators 7 days before deletion. Pro and Enterprise rooms persist for the life of the subscription with configurable retention.
- AI use
- AI features are opt-in per room, operate only on the data inside that single room, produce summary-only outputs (sentiment/themes/participation), and run through a managed gateway with no-training terms. No participant PII is sent to model providers.
- Hosting & backups
- Hosted on a managed cloud backend with encrypted-at-rest storage and automated encrypted backups for Pro and Enterprise tiers.
- Export & deletion
- Facilitators can export and delete room data at any time. Enterprise customers get self-serve tenant-wide export and deletion, plus an admin-initiated full purge on request.
- Third-party trackers
- No advertising trackers, no participant behavioral profiling, no resale of any data. Only minimal first-party analytics are used to keep the product working.
- Subprocessors
- A current subprocessor list (cloud hosting, transactional email, AI gateway) is provided to Enterprise customers on request, with advance notice of material changes.
View the full plain-text payload (what the Copy button copies)
Work Buddy Program — Security Review Summary
Vendor: Work Buddy Program (https://workbuddyprogram.com)
Last updated: January 1970
Product overview:
Work Buddy Program is a lightweight, room-scoped buddy-program tool used by HR, ERGs, onboarding teams, educators, non-profits, and large public-sector organizations. Each program lives at https://workbuddyprogram.com/r/{slug} as an isolated dataset. Participants join via a hyperlink and a chosen display name — no participant email or account is required. Facilitators authenticate; participants do not.
Transport:
All traffic to and from workbuddyprogram.com is encrypted in transit using HTTPS/TLS (TLS 1.2+). This covers page loads, API calls, real-time updates, and static asset delivery. HSTS is enabled, and HTTP requests are redirected to HTTPS.
Authentication:
Only facilitators authenticate (email + password or, on Enterprise, SAML 2.0 / OIDC single sign-on). Participants join through a per-room hyperlink and a chosen display name — there is no participant account, password, or email required. This removes the typical credential-stuffing and password-reset attack surface for the participant population.
Authorization:
Each program lives at /r/{slug} as a fully isolated dataset. Authorization is enforced server-side via row-level security in the backend database — not just in the UI. A request scoped to one room cannot read or write any other room's pairings, bingo activity, points, leaderboard, or connection map.
PII minimization:
Work Buddy Program is built to minimize personally identifying information. Participants never provide email addresses, phone numbers, or government IDs — they join with a display name only. Facilitators sign in with an email/password account (used to bind the room to them and to deliver lifecycle notifications such as inactivity warnings). On Enterprise, SSO identifiers from your IdP replace the email/password flow.
Data retention:
Free rooms are automatically deleted after 30 days of inactivity (no participant activity, no facilitator changes). Facilitators receive an email warning 7 days before deletion so they can resume activity or delete the room themselves. Activity is broadly defined: adding buddies, marking bingo, uploading photos, or any facilitator change resets the timer. Pro and Enterprise rooms persist for the life of the subscription. Enterprise customers can configure tenant-wide retention windows (e.g. delete rooms older than N days) and can request immediate deletion of any room or the entire tenant at any time.
AI use:
AI features are opt-in per room and can be disabled by the facilitator at any time (or disabled tenant-wide on Enterprise). When enabled, AI prompts operate only on the data inside that single room — never across rooms, never across customers. Outputs are summary-only (sentiment summaries, themes, participation aggregates) rather than verbatim user content surfaced to new audiences. Because participation is email-less by default, AI prompts contain no participant PII. All AI calls go through a managed gateway under no-training terms, so customer data is not used to train foundation models.
Hosting & backups:
Work Buddy Program runs on a managed cloud backend (managed Postgres + serverless compute). Customer data is encrypted at rest. Pro and Enterprise tiers include automated encrypted backups with point-in-time recovery. Infrastructure is hosted in major cloud regions and can be pinned to a specific region on Enterprise.
Export & deletion:
Facilitators can export the data for any room they own and can delete a room at any time, which removes pairings, bingo activity, points, the connection map, and any associated AI artifacts. Enterprise customers additionally get self-serve tenant-wide export and deletion through the admin console, plus an admin-initiated full data purge on request as part of offboarding.
Third-party trackers:
workbuddyprogram.com runs no third-party advertising or marketing trackers. There is no behavioral profiling of participants, no cross-site tracking, and no resale or sharing of customer or participant data with data brokers. The product uses only minimal first-party analytics required to operate and improve the service.
Subprocessors:
A current subprocessor list — covering cloud hosting/database, transactional email, and the AI gateway — is provided to Enterprise customers on request as part of the security packet. Material changes to the subprocessor list are communicated in advance to the tenant's designated security contact.
Tier overview:
• Free — Email-less participation, facilitator-account-bound rooms; auto-deleted after 30 days of inactivity with a 7-day warning email.
• Pro — Persistent cross-device rooms, cloud-backed storage with encrypted backups, role-based access within a room.
• Enterprise — SAML 2.0 / OIDC SSO, audit logs, configurable retention, self-serve export and delete, DPA / MSA / security questionnaire on request.
References:
• Full technical overview: https://workbuddyprogram.com/how-it-works
• Pricing & tiers: https://workbuddyprogram.com/pricing
• Contact for security packet & DPA: https://workbuddyprogram.com/contactOur mission is to lower the barrier to high-quality networking inside and across departments — without asking IT to onboard yet another heavy tool, and without asking participants to hand over an email just to meet someone new.