Here’s a description of our technical and organisation security measures that we use to secure Timetastic and protect your personal data.
Cyber Essentials accredited
Cyber essentials is a set of baseline technical controls laid out by the UK government. The requirements are specified under five technical control themes:
- Secure configuration
- User access control
- Malware protection
- Security update management
We are, and always will maintain this certification as a baseline for our IT controls.
Timetastic is hosted on Microsoft's Azure Cloud Platform. This places your data in their European data centres. At the time of writing we use both their UK South and UK West.
Encryption of personal data
Your data is encrypted at rest using Transparent Data Encryption.
Protecting data during transmission
Data moving through Timetastic services is encrypted in transit using an appropriate encryption technology.
When data is moving between you and Timetastic, everything is encrypted and sent securely using HTTPS. HTTPS is enforced with HSTS and we utilise HSTS so that the initial request to Timetastic is also secure.
Internal access controls
Our team doesn't have a reason to access or process customer data on a day to day basis. Processing is fully automated. It's only if there's a problem with an account or to help resolve a customer support question that we might need to access personal data.
All our team members have signed confidentiality undertakings and undergo GDPR training in respect of their roles.
We use role based access controls for staff and use two-factor auth on both internal apps and external services.
Resilience and availability
Timetastic is geographically spread and load balanced across multiple Azure data centres. It comes with extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimise the risk of low or slow availability or loss of data.
We use web application firewalls, rate limiting & DDOS protection to provide resilience and ongoing availability.
Timetastic is hosted and load balanced across the UK West and UK South regions in Azure. This setup provides continuous availability in case of an outage or issue in either data centre. The database is replicated between these regions, and backed up, to give us full resilience.
Timetastic is hosted within data centres provided by Microsoft Azure. As such, we take advantage of their physical, environmental and infrastructure controls.
Azure is accredited to ISO 27001 which covers and accredits their physical security controls.
User identification and authorisation
We suggest all users set up two-factor authentication in Timetastic to protect their account and data.
We also offer Single Sign-On (SSO) to access Timetastic with any of the main identity providers, including Microsoft 365 Active Directory or Google Workspace.
Only you, the client, can invite and remove users and apply permission levels in your account.
Testing, evaluating and assessing the measures
We automate a lot of tests that monitor our infrastructure to make sure it’s up and running 24/7. We also use an external service to monitor availability, you can see our current and historical availability on our status page.
We complete the Cyber Essentials accreditation each year as well as periodic penetration tests and are happy to work with security researchers.
All events are recorded in log files, therefore it’s possible to review when and by who personal data was entered, altered or deleted. We provide access to this information in the form of downloadable CSV files in Timetastic.
We use sub-processors to help deliver Timetastic, and sometimes this means transferring your data to a 3rd party, with data centres outside of the UK or EEA.
In all cases we make sure that an adequate level of data protection exists by assessing their security and having in place contracts based on the EU SCCs.
Data minimisation and retention
An important factor in data protection is to make sure we don’t collect and store any more data than needed to provide you with Timetastic. Every piece of data we collect and store must be backed up with a justifiable reason.
If personal data is no longer required it is deleted, either by you, the client, or by automated script when data hits its maximum retention period.
As an example, we only store customer support data for 12 months, an automated script deletes tickets that are 12 months old.
All of the data processed is provided by you (the data controller) or your end users (the data subjects). You'll find reporting tools within Timetastic to help you understand, validate, and if necessary correct the data.
Data portability and deletion
Timetastic has built-in backup and reporting tools that allow you to export your data in CSV format, and, if appropriate, permanently erase data.
We don't store debit/credit card information.
All our payments are processed through Stripe https://stripe.com/gb They are a PCI Service Provider Level 1 organisation. Using Stripe means we don't need to store your payment card details, they are sent encrypted direct to Stripe, we don't store them anywhere.
You can read more about security at Stripe here: https://stripe.com/docs/security/stripe
Reporting security problems
We're happy to work with security researchers, they're an important part of keeping the internet a safe place to work. We have a defined process for reporting security issues.
Security questions or concerns?
If anything here is unclear, gives rise for concern, or you just want to understand something, then reach out to our support team.