Effective: February 2018
Protecting customer data is an essential and integral part of the services offered by actiTIME. Below, we outline our approach and the security measures used to keep our customer data safe and secure.
Company and Product Overview
actiTIME Inc. (actiTIME) is an international software company specializing in time and scope management systems. Since 2000, actiTIME is committed to bringing actionable business data to enterprises, freelancers and solo entrepreneurs, driving business growth and delivering better business outcomes. Today, over 9000 customers in more than 70 countries are using actiTIME products to record work hours, manage project scopes and keep everything on track with the insightful data.
Product Infrastructure and Data Centers
- actiTIME develops, sells and services software solutions for business customers. actiTIME products are offered in two forms: self-hosted (on-premise) and online (SaaS mentioned below).
- Self-hosted products are installed locally on customer owned equipment and by customer’s own personnel. The customer takes the entire responsibility for the security of installation and application data.
- Online products are Java-based web applications provided on the SaaS model. They are hosted in data centers of the Amazon Web Services (AWS), world-class cloud infrastructure provider
- When delivering online products, actiTIME shares the security responsibilities with its data center provider. actiTIME is responsible for technical maintenance, data protection and overall security of the online application. Amazon Web Services is responsible for the underlying cloud infrastructure and its physical and network security.
- Geographically, data centers are located in the United States and Germany. Customers may specify their preference for storing their data in the U.S. or German data centers of Amazon Web Services.
actiTIME is committed to ensuring high levels of application security. Our protection scope includes data transfer, network configuration, and application-level access controls.
- End users of the application have a unique account associated with their email address, and protected with a password. User passwords are securely stored in customer’s dedicated database and protected by a hashing mechanism.
- End users do not have administrative or root access to any portion of the technology stack of actiTIME products. Access is allowed only via the application layer (UI or mobile API). Access levels within the application are managed by customers through use of appropriate userspecific permissions.
- Firewall rules and access control lists are used to control network traffic and network access to the application.
- SSL/TLS encryption is used to protect data in transit, both when users access the application from a web browser or a mobile app. Users are not allowed to access the application via HTTP and are forced to use an HTTPS connection.
- Record of events is kept using access logs.
- To ensure ongoing security and correct functionality of the application, actiTIME follows a regular update and patching cycle. Major releases of new functionality are issued once a year, and minor updates are released every 3-4 months. With online products, the update process is fully automated. Customers with self-hosted products hold all responsibility for keeping the software current and installing the updates.
- Code review is performed to eliminate security weaknesses and ensure high code quality of the application.
- To ensure higher levels of security, actiTIME has procedures in place to update the software components of the online application on a regular basis. The latest versions of Java, Tomcat and MySQL are used. Critical updates, like security patches, are installed immediately upon becoming available.
Privacy and Data Security
- actiTIME may also collect business contact information in order to communicate with its customers and provide support as appropriate. These contact details may be used to send important service-related notices and inform users about any service changes or offerings. Users can opt out of this communication at any time.
- Each customer’s data is segregated from other customers’ data through use of separate database instances.
- Customer data is never stored or transferred on any removable storage devices (e.g., thumb drives, CDs, external hard drives).
- In case of any data breach, actiTIME will notify the customer within 24 hours of becoming aware of such event, will investigate it internally and take reasonable steps to minimize any damage.
- To maintain data integrity and security, full backups are performed daily. Backup copies are stored within AWS data center facilities.
- Customers retain full control over their data with tools available in the application. A full copy of the company data in .sql format can be provided upon request.
- In the event of service termination or cancellation, all customer data can be completely removed from actiTIME hosting and backup facilities within 72 hours upon customer’s written request.
Cross-Border Data Transfers and Data Storage
- Data of European customers is processed and stored on servers located exclusively within the European Union (in Germany). actiTIME undertakes not to transfer any data of such customers outside the European Economic Area.
- Data of non-EU/EEA customers is processed and stored on servers located in the U.S. If you are a EU/EEA citizen working for a non-EU/EEA company, this means that your personal information will be transferred to the U.S.
- To be able to lawfully transfer personal data from individuals in the EU/EEA, actiTIME relies on compliance mechanisms offered by its data center provider, Amazon Web Services (AWS). Amazon Web Services is certified under the EU-U.S. Privacy Shield and adheres to its principles. Additional details are available here.
- If you do not want your personal information to be transferred to the U.S., you may contact actiTIME to arrange data storage on servers based in Europe.
Systems and Information Access Control
Access Policies and Procedures
- Access to corporate and production environments is strictly limited in accordance with the job roles. Users are only minimally given sufficient access rights to enable them to perform their job function.
- Where possible, none of the staff members is granted full rights to access any system. Network/server passwords are controlled by responsible IT specialists, and system passwords are assigned by the system administrator in the end-user department.
- Only a small group of authorized actiTIME staff members can access data center environment and production servers. Person who is no longer affiliated with actiTIME is restricted from accessing any actiTIME servers within 24 hours. User accounts of terminated staff are promptly disabled and removed.
- Staff access to production servers is performed from a special environment installed in AWS and secured through encrypted channels and usage of SSH keys.
- Access to customer data or production environments from any mobile computing devices (e.g., laptops, smartphones, or tablets) is prohibited through implementation of appropriate technical measures and internal policies.
- actiTIME staff members are required to use personal usernames and complex passwords, which should not be shared among users.
- Default passwords on all systems are changed after installation and changed periodically.
- Network/server supervisor passwords and system supervisor passwords are stored in a secure location in case of an emergency or disaster.
Monitoring System Access
- Access to the application web servers is logged, and all access events are available for later auditing.
- Intruder detection is implemented where possible.
Corporate Offices - Physical Security
- Users must log out of their workstations when they leave their workstation for any length of time. Alternatively, Windows workstations may be locked.
- Session timeouts are kept in accordance with the best business practices.
- All unused workstations must be switched off outside working hours.
- All servers are kept securely under lock and key.
- Access to the system console and server disk/tape drives is restricted to the authorized personnel only.
- The operating system is kept up to date and patched on a regular basis.
- Use of the Admin/Administrator/root accounts is kept to a minimum.
- Corporate servers may be used for internal needs only. All product infrastructure and customer data are hosted in the data centers of Amazon Web Services, who is responsible for ensuring physical and environmental security of this infrastructure.
- Electrical equipment is connected according to the local codes and regulations.
- All servers and network equipment is fitted with UPS units that also condition the power supply. All UPS units are tested periodically to ensure their operability.
- All servers are equipped with special software to implement an orderly shutdown in the event of a total power failure.
Corporate Offices - Computer and Network Security
- Up to date virus scanning software is used regularly for the scanning and removal of suspected viruses at the corporate file servers, workstations and other devices.
- Antivirus software is managed centrally by responsible IT staff.
- All removable media from external sources is virus checked before they are used.
- All systems are built from original, clean master copies whose write protection has always been in place. Only original master copies may be used until virus scanning has taken place.
- All removable media containing executable software (software with .EXE and .COM extensions) is write protected wherever possible.
- Shareware is not to be used, as shareware is one of the most common infection sources. If it is absolutely necessary to use shareware it must be thoroughly scanned before use.
- New commercial software must be scanned before it is installed as it occasionally contains viruses.
- To enable data to be recovered in the event of a virus outbreak, backups are performed on a regular basis.
- Users will be notified of virus incidents. They are instructed to inform the responsible IT specialists immediately about any virus-related incidents or possible computer virus infection.
- All unused network points are de-activated when not in use
- Users must not place or store any item on top of network cabling.
- Redundant cabling schemes are used where possible.
Acceptable Use of Corporate IT Assets
- Users must not use personal email accounts and access social networking websites for reasons unrelated to actiTIME business.
- Users must not download or distribute files from unauthorized or questionable sources, nor download non-work related files.
- Users are prohibited from sharing any sensitive work-related information on social media or other publicly accessible websites.
Security Audits and Risk Management
- Risk assessment is an integral part of all management and development processesin actiTIME.
- Prior to any significant changes in operational IT systems, a technical risk assessment is performed by the technical team. The functionality releases and changes are supported by rigorous testing before live release.
- In order to identify and mitigate potential security risks, actiTIME performs internal and external audits of system and application vulnerabilities on a regular basis. Upon review, security vulnerabilities and bugs are evaluated and patched in order of priority.
- actiTIME does not share results of internal and external audits with its potential and existing customers due to security and confidentiality concerns.
- Although actiTIME does not offer a service level agreement or guarantee any certain uptime, all efforts are taken to keep uptime and availability as high as possible.
- actiTIME uses cloud infrastructure which provides monthly uptime of at least 99.95%, as defined in the Service Level Agreement of Amazon Web Services. High availability of service is maintained through use of Amazon’s Availability Zones.
- Product architecture has been specifically designed to ensure scalability and resiliency of the application.
- In the event of any potential outages and disruptions of the service, actiTIME will make best efforts to minimize business impact for its customers.
- actiTIME maintains a disaster recovery plan, which covers backup, recovery and verification procedures. The defined Recovery Point Objective (RPO) is 24 hours, and the Recovery Time Objective (RTO) is 24 hours.
- actiTIME maintains an incident response plan for incident management and reporting. The plan contains policies on incident assessment, investigation and recovery, as well as measures to minimize potential damage.
- In accordance with the response plan, actiTIME maintains a staffed and trained Incident Response Team under CIO command. The response team is available 24/7 to respond to a security incident and to notify the affected parties.
- Incident response plan should be tested on a regular basis.
- While actiTIME hasn’t undergone a full-compliance certification, applications are developed and deployed with due awareness and in accordance with industry best practices. actiTIME’s data center provider, Amazon Web Services, is certified under NIST, ISO 27001, SOC 1/2/3, and a number of other certifications.
- To ensure compliance with industry security standards, actiTIME Information Security Group members should monitor best practice methods through attending seminars, training, workshops and conferences, and seek to implement them where appropriate.
Employee Awareness and Responsibilities
- This Policy is reviewed and approved at least annually, and enforced by the actiTIME Information Security Group.
- All actiTIME employees, consultants, and subcontractors are required to read, accept and sign an NDA and the Policy. Access to the corporate and production environments is granted only upon completion of this process.
- All actiTIME staff members are responsible for identifying and reporting potential information security risks. Each and every information security incident must be immediately reported to the management.
- The Chief of the Information Security Group (CISG) is the owner of the Information Security Policy. The CISG is responsible for the review and approval of the Policy.
- In case of any questions in regard to this policy, please contact actiTIME security group:
Contact email: firstname.lastname@example.org
Contact phone number: +1 (877) 571 53 65