Upwork Secures Sensitive Data and Ensures CCPA Compliance in a Matter of Weeks with OvalEdge

CLIENT’S PROFILE

Upwork is a leading platform in the gig economy, connecting millions of freelancers and clients around the world. As such, the company manages a significant amount of sensitive user information, including full names, addresses, Social Security Numbers (SSNs), and payment details. 

Given its extensive data ecosystem and the strict privacy regulations it must adhere to, protecting user data and ensuring compliance is a top priority for the company.

CONTEXT

Upwork recognized its responsibilities around maintaining data privacy but faced multiple challenges due to limited visibility and a series of complex systems that made it difficult to locate PII. With data spread across 300+ sources, including AWS Glue, MongoDB, and SQL Server, the company required a comprehensive governance platform to enhance data discovery, classification, and compliance automation without disrupting its operations.

While Upwork was committed to adopting a comprehensive governance platform, a leading catalyst for this search was ensuring compliance with the California Consumer Privacy Act (CCPA), which became the top priority use case. 

WHY OVALEDGE

Upwork conducted several proof-of-concept trials with various vendors but ultimately discovered that none of them offered the full range of capabilities the company required. The most critical need was for data lineage and a broad suite of connectors to support their complex infrastructure. 
OvalEdge provided an effective solution to Upwork’s data governance challenges by:

1. Centralizing metadata from all connected data sources onto a single platform, giving the Upwork team a holistic view of all sensitive data.

2. Integrating with AWS Glue, MongoDB, SQL Server, and other environments.

3. Automating compliance workflows, particularly Data Subject Access Requests (DSARs), removing manual overhead. 

SOLUTION

OvalEdge was seamlessly deployed into Upwork’s operating environment, connecting to their data sources without disruption. The platform profiled all of Upwork's 300+ data sources to create a comprehensive catalog of metadata, offering a clear overview of stored information within a matter of weeks.

To start, there was an initial two-week exercise where all stakeholders utilized OvalEdge’s Data Asset Group (DAG) tagging system to classify data into PII and non-PII categories, ensuring a streamlined and efficient approach to data management. In addition, the system revealed more complex, contextual information, such as whether specific PII was part of a contractually signed agreement.

While this information is considered PII, in many cases, Upwork has a contractual obligation to retain it until the contract is fulfilled, even if deletion requests are made.

Privacy data tagging is an ongoing process. Jobs run daily, and when a new data element is identified, an alert is sent to the respective data owners, prompting them to review and classify the data as PII or non-PII into OvalEdge. Classification jobs are queued until they are completed.

In terms of data erasure, Upwork has implemented OvalEdge to automate the processing of Data Subject Access Requests (DSAR), including the right to delete and the right to know requests as mandated under CCPA compliance. Users can submit these requests through a tool called Central. By integrating this tool with the OvalEdge platform via APIs, Upwork has successfully automated the entire process. Once the data is identified through the APIs, the Upwork team can proceed to delete it, ensuring compliance is maintained.

OvalEdge’s AI engine suggests additional fields for protection based on metadata analysis, ensuring no sensitive data was overlooked. The AI engine runs weekly classification jobs to identify PII in new data elements, helping to expedite the classification and tagging process while significantly reducing manual effort.

Finally, by applying role-based access policies, Upwork now protects sensitive data by ensuring that only authorized personnel can access PII. Collectively, these solutions have enabled Upwork to comply with the various data privacy regulations that govern its operations.

OUTCOMES

With OvalEdge, Upwork quickly secured its sensitive data and achieved compliance with important privacy regulations within just a few weeks. The platform’s AI-driven classification tools ensured complete coverage of PII while reducing the manual effort required for data governance. 

Upwork has fully automated its data discovery process using OvalEdge's API and integration tools. By implementing fine-grained access controls, Upwork restricted access to sensitive data to authorized personnel only, significantly reducing the risk of data breaches. The advanced AI features of OvalEdge simplified the PII classification process and streamlined compliance efforts.

This streamlined approach not only ensured compliance but also reinforced user trust and strengthened Upwork’s data management framework for the future.

Now that the company’s core goals have been operationalized, Upwork continues to work with OvalEdge on use cases such as data discovery, lineage building, and the exploration of other data governance processes.