Here's a run down of what's changed at Timetastic, driven by GDPR in the last few months:
Please note this is a live document and regularly updates as we move towards 25th May 2018.
If you are conducting your own GDPR assessments then please also read this article on GDPR.
Changes to date
We have always used hashing to store passwords, but the introduction of GDPR forced us to look further and so we introduced full encryption at rest for the databases using Transparent Data Encryption.
Keep me logged in
We used to store a cookie automatically on users machines to keep them logged in. We switched that off and instead implemented a 'keep me logged in' option on the login form.
To increase security of Timetastic we've started using a service called Cloudflare. Cloudflare helps speed up Timetastic while at the same time helps protect against denial-of-service attacks, customer data compromise and abusive bots https://www.cloudflare.com/security/.
We spotted that our existing employee contracts didn't contain a confidentiality clause covering client data. That's been rectified, all staff have since singed a dedicated Confidentiality Agreement.
Terms and Conditions
We updated these on 20th April 2018 to include the specific requirements laid down in article 28 of the GDPR.
To help identify any security and vulnerability issues we'll now be conducting security scans using professional web security software at least once every 6 months.