All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our platform is built on Amazon Web Services. AWS provides strong security measures and is strong security measures.
The TimeCamp platform is built on AWS RDS, EC2. Our infrastructure is managed with Terraform templates, and all infrastructure changes go through our deployment process on GitHub and Jenkins. There is also a possibility to run TimeCamp on your own infrastructure, like a dedicated server on AWS in region selected by your company. Our implementation team helps with setting it up.
We use Cloudflare in front of the application and our front-end assets to mitigate the risk of DDoS attacks.
Encryption in transit: All data that are sent to or from our infrastructure are encrypted in transit via industry best practices by using Transport Layer Security (TLS). You can check our SSLLabs reports for the app. Encryption at rest: Application data is stored in AWS RDS databases, which encrypts all data at rest.
We do a regular backup of the application’s data and regularly attempt to restore the backup. That guarantees a fast recovery in case of disaster. All our backups are encrypted. TimeCamp does not manage a physical data center. Compute and storage failures are handled transparently by AWS. The lowest-level disaster that could affect the application would be the whole AWS region becoming unavailable.
We run automated vulnerability scans every week, in-depth security assessments twice a year, and do regular spot checks. We also monitor, log, and trace exceptions. We run automated traffic watchers which analyze all internal application communication, identify failures and attempted security breaches, and notify us in real-time. We collect and store logs to provide an audit trail of application activity (see audit logging below).
All dependencies are audited as part of our automated build process, which will discover any vulnerability. Every task is code reviewed for security vulnerabilities before it is merged, following security best practices and frameworks (OWASP Top 10, SANS Top 25).
You can report any vulnerabilities by contacting [email protected] Please include a proof of concept with your submission. We will answer as quickly as possible and won’t take legal action if you follow the rules.
Coverage site: app.timecamp.com | Exclusions: www.timecamp.com
INTERNAL SECURITY POLICIES
2-factor authentication and VPN are required for access to our AWS accounts. Infrastructure in AWS, and databases, are accessed by using specially created profiles with limited permissions.
The TimeCamp application has strict access control checks, leveraging a permission-based access control mechanism. Our Products comply with the following information related security and monitoring procedures:
TimeCamp is compliant with the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The purpose of GDPR is to protect the private information about EU citizens and give them more control over their personal data. You are welcome to reach out to us at [email protected] for more details on how we comply with GDPR or have a look at our privacy notice
TimeCamp has been certified by ISOCERT for ISO27001 (the international gold standard for information security).