App security is a huge area, keeping your personal information safe and Timetastic up and running means data security pretty much crosses everything we do here at Timetastic.
We can't explain all security measures, that in itself would compromise security. What we can do is explain the big things, the basic building blocks of good security.
Your data is sent using HTTPS, and encrypted at rest.
When your data is moving between you and Timetastic, everything is encrypted and sent securely using HTTPS. We also encrypt your data at rest using Transparent Data Encryption.
We host on Microsoft Azure
Timetastic is hosted on Microsoft Azure cloud platform. This places your data in their European data centres. At the time of writing we use both their UK South and UK West for primary and North Europe (Ireland) for backups.
Using Azure means we take advantage of their rigorous security standards and reliance, servers and firewalls are always up to date. You can read more about their specific standards and procedures here: https://azure.microsoft.com/en-gb/support/trust-center/
We don't store your debit/credit card information.
All our payments are processed through Stripe https://stripe.com/gb They are a PCI Service Provider Level 1 organisation - the most stringent certification level available in the payment industry.
Using Stripe means we don't need to store your payment card details, they are sent encrypted direct to Stripe, we don't store them anywhere.
You can read more about security at Stripe here: https://stripe.com/docs/security/stripe
Your passwords are hashed
We hash your passwords using a PBKDF2-based function, but that's no reason not to create a strong password in the first instance.
We encourage you to understand, and educate your employees on what makes a strong password, and use them accordingly, maybe test score a password on here https://lowe.github.io/tryzxcvbn/
Please use 2FA
Passwords get compromised, it's a fact.
We encourage you to setup two-factor authentication in Timetastic to protect your account and data.
It's fairly easy, you just need a smartphone with one of the many authenticator apps installed.
For advanced security we also offer Single Sign-On.
We employe a small, tight-knit team at Timetastic. We do full background check before employing and all staff are required to sign confidentiality agreements relating to personal data.
We do not outsource any core development work, and while we do use freelancers for some work, none of them have access to client/ personal data.
Keeping your data secure
Keeping customer data safe is a huge responsibility and our top priority. We work hard to protect our customers data from the latest threats. This is not a one time effort, it's a continual process that we monitor and work on.
Security issues come to light through different means and activities, from articles in technical press, discovery during routine work, and through our internal reviews and vulnerability scans.
How we deal with security issues
When we discover a security threat we follow this process:
1. Understand the nature of the threat.
2. Assess the risk of the threat to our customers data - bearing in mind the likelihood of breach and the impact of a possible breach.
3. Scope the work required to mitigate or eliminate the risk.
4. Prioritise any work according to the results of this risk assessment.
5. Once the issue is resolved we’ll post an update on our changelog here:
Reporting security problems
Send all security concerns directly to us from the help centre contact form
We’ll get back to you as soon as we can, usually this will be in 2 hours during week days, but we do check in at weekends too. Feel free to tweet us too https://twitter.com/timetastic