| |
1. Architecture and Data Segregation |
Services operated and offered in cloud must reside in a multitenant architecture whereby Customer Data access can only be viewed based by authorization assigned by the company. It provides an effective logical data separation through unique Employee Identification that allows access the information based on role privileges. Data segregation has to be carried out by providing separate environments for different functions, i.e for testing and production.
This gives the power back to the customer, ensuring them that the data is only processed when instructed by the customer, throughout the entire chain of processing activities and compliance of the measures implemented has to be subject to audits.
| |
3. Audits and Certifications |
On at least an annual basis, all the offered services will have to go through security assessments by internal personnel that includes infrastructure vulnerability assessments and application security assessments.
All systems used in conveying the Offered Services inclusive of operating systems, log information to their respective application system log facility or a centralized syslog server (for network systems) will be kept in order to enable security reviews and analysis, and system and application logs will be kept for a minimum period of sixty (60) days.
| The offered Services made available through Internet Browser or Mobile App must have a variety of security features that are configurable. These controls include, but are not limited to the following: |
| |
| • |
User IDs as unique user identifiers to make sure that activities can be traced back to the individual. |
| • |
The use of reCaptcha Controls to challenge access after several consecutive failed login attempts. |
| • |
To terminate a user session after a period of inactivity. |
| • |
To control on password length. |
| • |
To match password complexity requirements. |
| |
6. Security Policies and Procedures |
| The Offered Services must be operated in line with the following policies and procedures to enhance security: |
| |
| • |
User passwords are kept using a salted hash format and are not transmitted unencrypted. |
| • |
User access log entries will be maintained, containing date, time, URL executed or entity ID operated on, operation performed (viewed, edited, etc.) and source IP address. Note that source IP address might not be available if NAT (Network Address Translation) or PAT (Port Address Translation) is used by a customer or its ISP. |
| • |
Logs will be stored in a secure centralized host to prevent tampering. |
| • |
Passwords are not logged. |
The Offered Services must be monitored for unauthorized intrusions using network-based intrusion detection mechanisms by the developer or the third party assigned for that task. The data collected by users' web browsers (e.g., device type, screen resolution, time zone, operating system version, browser type and version, system fonts, installed browser plug-ins, enabled MIME types, etc.) may be analysed for security purposes to prevent fraudulent authentications, and to ensure that the Offered Services function properly.
A provider needs to maintain security incident management policies and procedures, and notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by the Developer or its agents of which the Developer becomes aware to the extent permitted by law.
All access to the Offered Services through Internet Browser, Mobile App or via API, demands a combination of a valid user ID and password which are encrypted via HTTPS while in transmission. After the authentication is successful, a random session ID is generated and stored in the user’s browser to preserve and track session state.
If the production data centers used to provide the covered Services is handled by an outside Services, get its Security Processe details known such as this: AWS Security Whitepaper.pdf
| |
11. Reliability and Backup |
All networking components, load balancers, Web servers and application servers are configured in a redundant configuration. All Customer Data submitted to the covered Services is stored on a primary database server with automated backup using point-in-time recovery features. All the Daily AMI backups will be retained for at least 2 days and weekly AMI backup will be retained at least one month.
The Offered Services’ production systems must be protected by a multi-tiered disaster recovery plan which provides for backup of critical data and services. A comprehensive system of recovery processes exists to bring business-critical systems back online within the briefest possible period of time. Recovery processes for database, security, systems administration, and network configuration and data provide a roadmap for personnel to make processes available after a service disruption.
The Offered Services will not scan for viruses that could be included in attachments or other data uploaded into the Offered Services by customers. Uploaded attachments are not executed in the Offered Services and therefore will not damage or compromise the online Offered Services by virtue of containing a virus.
The Offered Services must use industry-accepted encryption products to protect Customer Data and communications during transmissions between a customer's network and the covered Services, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum.
| |
15. Return of Customer Data |
Customer Data submitted to the Offered Services shall be returned to Customer upon request.
| |
16. Deletion of Customer Data |
After termination of the Offered Services, customers can request deletion of Customer Data submitted to the Offered Services, and this process is subject to applicable legal requirements. Customer Data stored on the infrastructure for the Offered Services will be deleted accordingly.
Important: The following types of sensitive personal data may not be submitted to the OfferedServices: financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care. For clarity, the foregoing restrictions do not apply to financial information provided to the developer for the purposes of checking the financial qualifications of, and collecting payments from its customers.
A developer may track and analyze the usage of the Offered Services for purposes of security and helping the developer improve both the Offered Services and the user experience in using the Offered Services.
A developer may share anonymous usage data with its service providers for the purpose of helping the developer in such tracking, analysis, and improvements. Additionally, the developer may share such anonymous usage data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services.
| |
19. Integration or Interoperation with Other Services |
A developer offered services may integrate or interoperate with other services provided by the developer or third parties. The developer also could provide on many platforms and features that allow the users to learn about the products, participate in communities, connect third party applications, and participate in pilots, testing and assessments, which are outside the scope of this documentation. Communication with users that participate in such platforms and features in a manner that must be consistent with the Privacy Statement. Additionally, the developer may contact users to provide transactional information about the offered Services; for instance, through the Account Manager or through system-generated email messages. The developer must offer customers and users the ability to deactivate or opt out of receiving such messages.
As a cloud-based system developer, TimeTec has fulfilled the requirements above with the key objective, to maintain customer’s trust. Security, Privacy and Architecture documentation for services provided by TimeTec is available in the TimeTec Cloud Website.
