Security at TimeZest

Everything you need to know about how we keep TimeZest secure.

Jason Langenauer avatar
Written by Jason Langenauer
Updated over a week ago

TimeZest uses industry-standard practices to ensure that your data, and the data of your clients is always secure. We have been audited by a third-party specialist auditor, and our security controls comply with the requirements of the AICPA SOC 2 Type I certification. The audit report can be supplied on request.

We don’t publicize all of the security measures we take, but some of the ones we can talk about are listed here.

Secure Hosting

TimeZest’s servers are hosted (via Heroku) in the Tier 1 data centers of Amazon Web Services (AWS). AWS is an ISO27001-certified hosting provider, with extensive physical, biometric and software access control to the physical servers on which TimeZest runs.

For further information:

Encryption at Rest

All disks used by TimeZest, both for long-term & database storage, as well as temporary data storage are encrypted at rest.

Application-level encryption

Certain types of particularly sensitive data, such as API keys and OAuth credentials, are stored with an additional level of encryption which prevents their disclosure even in the unlikely event our database is compromised. These credentials are encrypted using industry standard AES-256 encryption.

Secure Secret Distribution

Our hosting provider provides a secure mechanism for delivering secrets (such as API Keys, encryption keys and client secrets) to the production instances of our application. We do not store any such credentials with the application source code.

Automatically updated operating systems and software

TimeZest automatically updates the operating system and application software used on our servers as improvements are made and any security problems are fixed.

Static Security Analysis

Every line of code in the TimeZest application undergoes Static Analysis Security Testing (SAST) with each commit to detect potential security issues.

Code Reviews and Automated Testing

All code is reviewed by another engineer prior to be merged into our product, and is subject to comprehensive automated unit, functional and integration testing.

Automated dependency monitoring

We use automated tools to monitor any libraries and software dependencies we use against databases of known security issues and CVE notices.

Anti-SQL Injection measures

TimeZest is built using a widely-used application framework which contains in-built support for bound query parameters. Further, our coding guidelines prohibit any direct manipulation of SQL statements as strings.

Anti-XSS Protection

Our application framework as well as our frontend framework contain automated protection against XSS attacks through automated escaping of any displayed data.

HTTPS always

All communication between your browser, our CDN, TimeZest’s servers and the APIs we access are conducted over encrypted protocols such as HTTPS.

Automated Security Scanning

TimeZest's environments are automatically and regularly scanned for vulnerabilities using an external commercial vulnerability scanner.

Strict Access Limits

Access to production environments and customer data is strictly limited to a small number of TimeZest employees who require access to it. Our policies prohibit the copying of customer data for any purpose to outside our production environment.

Mandatory MFA

TimeZest uses Multi-Factor Authentication (MFA) for the services we rely on to provide TimeZest to drastically reduce the risk of account compromise and takeover.

2FA for Administrators

TimeZest administrators can use 2FA to protect their accounts, and this can be required on an organization-wide basis.

Responsible Disclosure

TimeZest values the input of independent security researchers in highlighting any vulnerabilities in TimeZest. If you have discovered a potential security vulnerability, we encourage you to report it to [email protected]. TimeZest will respond to your report within 2 business days.

TimeZest does not presently operate a bug bounty program, and unfortunately cannot offer any rewards for vulnerabilities found.

Please act responsibly in dealing with your discovery of any identified security vulnerability. Do not take any actions that go beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your own advantage and avoid storing any confidential data obtained as a result of the issue.

Have other questions regarding our security practices? 

Please write us at [email protected].

Did this answer your question?