Security

Last modified: Oct 4, 2021

Data center

Team O'clock is hosted on Heroku, one of the most well established and trusted PaaS, owned by Salesforce. Our data centers operate on the US region of Amazon Web Services, being accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).

Learn more about Heroku security here.

Data encryption in transit and at rest

All internal or external service communications (including third parties, such as Slack, Microsoft Teams or Jira) are encrypted via SSL using TLS1.2+ protocols. Data is encrypted at rest with AES-256, block-level storage encryption.

Data sharing

Data sharing occurs when Slack or Microsoft Teams integration is enabled. Team O'clock is requesting for user account details, such as username, email and avatar, when users are using the integration. No Team O'clock data is shared with Slack or Microsoft Teams, unless for the data required for messaging the users as part of the integration, such as standup notes and retrospective action items.

Data retention

Application data is retained until the termination of the account. When a Team O'clock organization or user account is deleted, no data is retained. Server logs are retained for 7 days, with all personal data anonymized before storage. Audit logs, used for storing application actions, are retained for a year, with all personal data anonymized before storage.

User authentication

Users are authenticated through Slack, Microsoft or Google social logins, or by using passwordless email authentication. No passwords are stored on our servers. In the case of passwordless authentication, the user is sent an one-off expiring token to the provided email address, that can be used over a very limited amount of time in order to enter the platform.

Single Sign On (SSO)

Per organization SSO is not currently available and can be discussed upon request, however we support SSO through Slack, Microsoft and Google accounts.

Confidentiality

All employees are restricted by regulations to maintain confidentiality. Access to data is restricted, unless required in order to provide technical support.

Incident management

In the unfortunate event of security breach or unauthorized access to user data, the company will inform you within 72 hours, in compliance with GDPR.

Payments

All payments are processed by our subscription partner Paddle. No credit card information is stored on our servers.

Thank you

Special thanks to researcher Blackktech for helping us identify issues with our service.