Security at TimeCamp

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our platform is built on Amazon Web Services. AWS provides strong security measures and is strong security measures.

Hosting

The TimeCamp platform is built on AWS RDS, EC2. Our infrastructure is managed with Terraform templates, and all infrastructure changes go through our deployment process on GitHub and Jenkins. There is also a possibility to run TimeCamp on your own infrastructure, like a dedicated server on AWS in region selected by your company. Our implementation team helps with setting it up.

Network-level security monitoring and protection

We use Cloudflare in front of the application and our front-end assets to mitigate the risk of DDoS attacks.

Data encryption

Encryption in transit: All data that are sent to or from our infrastructure are encrypted in transit via industry best practices by using Transport Layer Security (TLS). You can check our SSLLabs reports for the app. Encryption at rest: Application data is stored in AWS RDS databases, which encrypts all data at rest.

Business continuity and disaster recovery plan

We do a regular backup of the application’s data and regularly attempt to restore the backup. That guarantees a fast recovery in case of disaster. All our backups are encrypted. TimeCamp does not manage a physical data center. Compute and storage failures are handled transparently by AWS. The lowest-level disaster that could affect the application would be the whole AWS region becoming unavailable.

APPLICATION SECURITY

Monitoring

We run automated vulnerability scans every week, in-depth security assessments twice a year, and do regular spot checks. We also monitor, log, and trace exceptions. We run automated traffic watchers which analyze all internal application communication, identify failures and attempted security breaches, and notify us in real-time. We collect and store logs to provide an audit trail of application activity (see audit logging below).

Security in the software development process

All dependencies are audited as part of our automated build process, which will discover any vulnerability. Every task is code reviewed for security vulnerabilities before it is merged, following security best practices and frameworks (OWASP Top 10, SANS Top 25).

Responsible disclosure

You can report any vulnerabilities by contacting security@timecamp.com Please include a proof of concept with your submission. We will answer as quickly as possible and won’t take legal action if you follow the rules.
Coverage site: app.timecamp.com | Exclusions: www.timecamp.com