Security at TimeCamp

TimeCamp cares deeply about keeping our customers' and users' data secure. TimeCamp is certified for ISO27001 and complies with the requirements of GDPR.

Have questions or feedback?
Please don't hesitate to reach out to us at [email protected].



Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our platform is built on Amazon Web Services. AWS provides strong security measures and is strong security measures.


The TimeCamp platform is built on AWS RDS, EC2. Our infrastructure is managed with Terraform templates, and all infrastructure changes go through our deployment process on GitHub and Jenkins. There is also a possibility to run TimeCamp on your own infrastructure, like a dedicated server on AWS in region selected by your company. Our implementation team helps with setting it up.

Network-level security monitoring and protection

We use Cloudflare in front of the application and our front-end assets to mitigate the risk of DDoS attacks.

Data encryption

Encryption in transit: All data that are sent to or from our infrastructure are encrypted in transit via industry best practices by using Transport Layer Security (TLS). You can check our SSLLabs reports for the app. Encryption at rest: Application data is stored in AWS RDS databases, which encrypts all data at rest.

Business continuity and disaster recovery plan

We do a regular backup of the application’s data and regularly attempt to restore the backup. That guarantees a fast recovery in case of disaster. All our backups are encrypted. TimeCamp does not manage a physical data center. Compute and storage failures are handled transparently by AWS. The lowest-level disaster that could affect the application would be the whole AWS region becoming unavailable.



We run automated vulnerability scans every week, in-depth security assessments twice a year, and do regular spot checks. We also monitor, log, and trace exceptions. We run automated traffic watchers which analyze all internal application communication, identify failures and attempted security breaches, and notify us in real-time. We collect and store logs to provide an audit trail of application activity (see audit logging below).

Security in the software development process

All dependencies are audited as part of our automated build process, which will discover any vulnerability. Every task is code reviewed for security vulnerabilities before it is merged, following security best practices and frameworks (OWASP Top 10, SANS Top 25).

Responsible disclosure

You can report any vulnerabilities by contacting [email protected] Please include a proof of concept with your submission. We will answer as quickly as possible and won’t take legal action if you follow the rules.
Coverage site: | Exclusions:


Access to infrastructure

2-factor authentication and VPN are required for access to our AWS accounts. Infrastructure in AWS, and databases, are accessed by using specially created profiles with limited permissions.

Access control and multi-tenancy

The TimeCamp application has strict access control checks, leveraging a permission-based access control mechanism. Our Products comply with the following information related security and monitoring procedures:

  • Documented and defined security standards and procedures
  • Employee confidentiality agreement
  • Verification of employees who have access to customer data
  • Access to information granted only to employees who need to work with customer data or host servers



TimeCamp is compliant with the General Data Protection Regulation (GDPR), including the right to be forgotten and data portability. The purpose of GDPR is to protect the private information about EU citizens and give them more control over their personal data. You are welcome to reach out to us at [email protected] for more details on how we comply with GDPR or have a look at our privacy notice

guarantee icon security


TimeCamp has been certified by ISOCERT for ISO27001 (the international gold standard for information security).