Security

Last Updated:  January 15, 2021

Data Center Security

All TimeForge data and servers are stored in data centers owned and operated by SSAE 16 SOC‐1 Type II compliant operators. Backups are made offsite to both Amazon’s AWS and Microsoft’s Azure SSAE 16 data centers. Some of the data center security includes:

Physical Security

  • Access control lists for all personnel allowed to enter the building and work on equipment.
  • Pictures and security badges for all personnel.
  • Indoor and outdoor digital video surveillance, with all digital video archived.
  • On‐site tickets required to be opened before arrival.
  • Government issued photo identification required to be presented by all attendees upon arrival for visit.
  • TimeForge servers reside in a locked cage or fully contained suite environment. Access is granted to the cage or suite either by biometric reader or keys that are retained by data center operations personnel.
  • All equipment brought off‐site and/or removed off‐site is inventoried.
  • There are no exterior windows on the data center floor.
  • 24‐7 roaming security to inspect all critical interior and exterior areas of the data center.
  • Data center physical controls are validated on an ongoing basis.

Network and Internet Security

  • All unused network ports on all switches and firewalls are disabled when not in use.
  • Wireless LANs (WLANs) are not permitted or connected to the data center environment.
  • All connections to and from the Internet traverse redundant traditional and web application firewalls for monitoring and logging of irregular traffic.
  • Only application required ports are opened on the firewall from the Internet and to or from DMZs and internal network segments.
  • All customer transmissions traversing the Internet are encrypted using SSL or SSH encryption. Some data elements (such as social security numbers, passwords, security phrases) are encrypted at rest. Most data elements are unencrypted.
  • Port and vulnerability scans to any network device are investigated unless initiated by TimeForge personnel.
  • Vulnerability scans are run regularly by TimeForge personnel and third‐party security vendors in order to identify security risks.

Security Tools and Systems

  • Firewalls are located at network ingress / egress points as well as between network segments of varying security levels and functions.
  • In addition to standard stateful inspection firewalls, application‐level firewalls are deployed to protect against application and database specific attacks.
  • Internal vulnerability scans are performed periodically by the Security team and third‐party vendor’s to proactively identify and remediate any security vulnerabilities in the environment.
  • Configuration monitoring software is enabled to monitor for and prevent authorized changes to critical network components.

Environmental Health Monitoring

TimeForge utilizes a combination of commercial and custom products to monitor the health of the applications and hardware in the SaaS environment and sends alerts to the applicable personnel on 24x7x365 basis, if an issue is identified.

These products use both an agent and agentless configuration to monitor and collect data using a variety of protocols to determine the performance of the SaaS environment. In addition, TimeForge monitors application uptimes and services for outages or delays every 1 to 5 minutes, both internally and externally.

Data Portability

Within 90 days of cancellation, by either party, TimeForge will make available all schedules, time/off and availability changes, employee data, sales data, and attendance information in a CSV format.

Authentication and Passwords

Users are authenticated against the TimeForge servers using salted and hashed password, over an SSL (https) connection. Mobile application access uses industry standard tokens for authorization. Optional Single Sign On (SSO) can be configured to utilized the customer’s existing username and password functionality. SSO supports SAML 2.0 and allows the customer to specify their own password policies within the customers own environment.

Backup and Recovery

As your SaaS provider, TimeForge wants to assure you that keeping your data secure and available is our top priority.

  • Data is backed up onto highly available redundant storage units both onsite and offsite for maximum data protection. In the event of an extended outage, data can be restored from either location. Data is backed up locally and also replicated in real‐time to a redundant cluster within our data center.
  • Backup storage units are monitored on a 15‐minute basis to ensure accurate performance and data integrity.
  • Recoveries are done weekly onto staging / test systems to ensure that data integrity is maintained.
  • Database backups include real‐time replication with Point In Time Recovery and nightly backups.

Business Continuity

  • The standard SaaS offering includes a business continuity plan that allows customers to continue to run payroll operations in the unlikely event of an extended outage at one of our data centers. This will allow access to a scaled down version of the TimeForge system to run critical payroll functions.
  • The servers for the business continuity environment are located within Amazon’s AWS infrastructure.
  • In the unlikely event of an extended outage, TimeForge commits to having the business continuity environment available for customer use within 24 hours of the declared outage (Recovery Time Objective is 24 hours).

Maintenance Windows

  • TimeForge performs daily recurring system maintenance between 1am and 5am Central Time, not to exceed 16 hours per month. Where possible, individual machines in the cluster are worked on independently, so that no external outages are discovered or noticed. Customer could experience intermittent connectivity during this time period
  • TimeForge performs extended system maintenance as required monthly on either Saturday or Sunday from 12am until 6am Central Time. Customer may experience intermittent connectivity during this time period. This extended system maintenance may be utilized to perform patch management to core operating systems. Advanced notification of extended maintenance will be provided via the TimeForge Blog, and the TimeForge Messaging System (sent to all users).
  • TimeForge performs application enhancements and upgrades as required on either Tuesday, Saturday, or Sunday from 12am until 4am Central Time. Customer may experience intermittent connectivity during this time period.
  • TimeForge performs emergency maintenance as required and when necessary. Depending on the type of emergency maintenance, customers may experience intermittent connectivity or may be restricted from accessing the software during this period. Where possible, TimeForge will provide advanced notification.

Service Level Objective

TimeForge’s service level objective for the SaaS environment is a minimum of 99.5% uptime, as measured over every one single (1) calendar month The service level objective is exclusive of the activities that take place in the maintenance window described above.