Data Encryption
Critical data like passwords and credit card details are never stored in Time Analytics. We use third-party tools like Stripe to store credit card details and a one-way hashing algorithm (Bcrypt) to store passwords.
SSL encryption
All communication between the server and the client (browser, mobile, and desktop) is encrypted by using SSL encryption (HTTPS). The SSL certificate is issued by Let’s Encrypt.
Third-party access
We do not have any third-party having access to our system. In certain cases, subprocessors may be required to access personal data, which is granted only when necessary.
Backups
We back up data every day, and the backup is kept for a period of one week before it is removed.
Deployment Location
Time Analytics uses AWS data centers in the EU west zone. The services and data are hosted in Amazon Web Services (AWS) facilities (eu-west-2a) in Europe (United Kingdom).
Hosting of the SaaS application is in a Privacy Shield Certified or ISO 27001 certified data center.Amazon Web Services ISO 27001 Compliance – Amazon Web Services (AWS)
https://aws.amazon.com/compliance/iso-27001-faqs/
Security Incidents
In an event of a disaster, our automated backups are available for 7 days.
We have monitoring and alarms set up. We are notified when suspicious activity occurs.
Data processing
We will process the personal data of customers employees/representatives for our own purposes such as marketing communication, only for internal features and releases. These options can be turned off in the user’s settings.
Any personal data we process on the customer’s behalf will be limited to what is requested.
We will use the Processed Data of the customers for:
• Providing the Service,
• Improving or otherwise modifying the Service and notifying Data Subjects thereof,
• Adapting the Service’s content and/or layout according to the Data Subject’s needs,
• Responding to the Data Subjects’ communications and contacting them,
• Performing Supplier’s obligations towards the Data Subject,
• Enforcing Supplier’s rights in accordance with the Terms of Service
Personal Data Breach
If a personal data breach occurs, the controller will notify the competent supervisory authority in accordance with Article 55. This shall be done without undue delay and, if possible, not later than 72 hours after the discovery of the breach. The exception comes in if the personal data breach is not likely going to cause a risk to the freedom and rights of natural persons. If the notification is not sent to the supervisory authority within 72 hours it will arrive with the reasons for the delay.