Security Measures

Information security is of paramount importance to TimeTap. We continuously develop our security systems, policies, and procedures to meet industry best practices.

Below is summary of technical and organizational measures employed by TimeTap in the course of providing our Cloud Service

1. Physical Security

  • Processing occurs entirely on Amazon Web Services (AWS) infrastructure. This provides comprehensive physical security, and we take full advantage of the AWS facilities for supporting the non-physical system security.
  • The Company premises have physical access control systems and are protected after hours by an externally monitored security system. The local computer network has multiple layers of network devices to protect against external threats.

2. System Security

  • The client accesses the Services via self-managed passwords (restrictions on the minimum length and special characters) with monitoring and notifications to the Company of break-in attempts.
  • API access requires a unique access key in which Client can rotate and expire.
  • Client actions are audited providing the basis for investigation of incident management.
  • Employee access to cloud infrastructure is controlled by two-factor authentications.

3. Security of Data

  • Transport Encryption - All communication with the Services is SSL encrypted.
  • At Rest Encryption – All customer data are encrypted at rest.
  • “Short Memory" Data Retention – Client Personal Data and the generated emails are delivered then automatically and immediately deleted.
  • Email Security - email is dispatched using transport layer security (SMTP TLS).
  • Processing of data and generated documents is geographically bound (either USA or EEA) within the region selected by the Client.
  • Data are stored in areas with role-based access and access by employees requires interaction with access-control systems.

4. Availability and Resilience

  • High Availability Architecture - Load balanced, high-performance, redundant and monitored 24/7.
  • Monitoring – Company uses publicly visible third-party systems to monitor the availability and performance of Services. Key API endpoints are monitored every 60 seconds with deep tests checking the contents of the generated test documents. Historical uptime results can be viewed here:
  • Strong Software Design - The service is engineered to survive multiple points of failure, degraded in a predictable manner and remain as operational as possible, even in the event of core systems failures.
  • Backed up - Multiple independent backup systems in place providing case-specific recovery options.
  • Version Controlled – All software code is version controlled and can be reverted and restored on an as-need basis.
  • Service Status – Minor software updates are performed as needed on the service. Status notifications are available here:
  • Clearly established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).

5. Regular Evaluation and Assessment

  • he company continually evaluates the security of its services to determine whether additional or different security measures are required.

6. Staff Practices

  • Employee access to infrastructure and data is limited to that necessary to execute the assigned roles. Data is stored in areas with role-based access.
  • Employees are required to read and sign a confidentiality agreement which explains the importance and sensitivity of Client Personal Data.
  • The Company provides ongoing training to employees on the importance of security and their compliance with the Company Password Policy and Acceptable Use of IT Policy.

7. Standards and Compliance

  • The company is committed to developing policy in line with industry security standards.
  • The company is developing its internal procedures and policies on its path to achieving SOC 2 certification.