Security Policy

Table of Contents
IntroductionConfidentialityData encryptionService infrastructureAvailabilityLoggingSecurity practices in product developmentAccess to the ServiceChanges to this Policy

Introduction

When using our services, Customers are entrusting their data, including information about other individuals (i.e. personal data), into our care and it is one of our core duties to each Customer and Participant to ensure that appropriate measures are in place on our side for the protection of the personal data that are processed via the Service. This Security Policy (“Policy”) describes some of those measures. All capitalised terms used in this Policy and not otherwise defined herein have the meanings ascribed to them in our Terms of Service.

The rights and obligations of the Customer are determined separately in a Data Processing Agreement (DPA) between the Customer and us i.e., the parties' relationship in the context of the personal data processing.

Confidentiality

We place strict controls over our employees’ and contractors’ access to Relevant Data and are committed to ensuring that they are not seen by anyone who should not have access to them.

The operation of the Service requires that some of our employees (or the employees of our affiliated companies, subsidiaries, and/or sub-processors) have access to the systems we use for processing Relevant Data (e.g., in order to diagnose a problem you are having with the Service, we may need to access your Workspace, including its Relevant Data). These employees are prohibited from using their access permissions to view Relevant Data unless it is necessary to do so.

Data encryption

We transmit data over public networks using proper encryption. This includes data transmitted between our customers and the Service. Our systems support some of the most advanced commercially reasonable cipher suites to encrypt all data in transit, including (but not limited to) the use of TLS 1.2 protocols, AES256 encryption and SHA2 signatures (as supported by the customer).

Our database is encrypted at rest with AES-256, block-level storage encryption.

We monitor the changing cryptographic landscape and upgrade our cipher suite choices as the landscape changes.

Service infrastructure

The Service is hosted in data centres operated by industry-leading service providers who offer state-of-the-art physical and other protection for the cloud infrastructure underlying our Service user environment. These cloud providers are responsible for restricting access to the above infrastructure to authorised personnel only.

Each customer’s data are hosted in the public cloud resources allocated to us and segregated logically by the Service application. We use a combination of storage technologies to ensure that Relevant Data are protected from hardware failures and return quickly when requested.

Availability

Workspace Data (including Relevant Data) are stored redundantly at multiple locations in our cloud provider’s data centres to ensure availability. We have adequate backup and restoration procedures in place to allow recovery from a major disaster. WorkspaceData and our source code are regularly backed up and our operations team is alerted incase of a failure with this system. Backups are automatically tested daily and we perform full restore exercise periodically.

Logging

We maintain a logging system in our production environment for information concerning security, monitoring, availability, access and other metrics about the Service.

Security practices in product development

The secure practices are embedded into the whole product development cycle.

New features, functionality, and design changes go through the review process as defined by our SDLC. The security aspects are regularly reviewed internally. In addition, our code is audited by industry standard tools, tested and reviewed prior to being implemented to production environment.

Access to the Service

The Service, howsoever accessed, requires all users to authenticate, and users are granted unique identifiers for that purpose.

Changes to this Policy

We may revise this Policy from time to time to reflect changes to the Service, applicable laws, regulations or standards or other changes that may occur in our business. We shall post the revised Policy (or, as the case may be, a new security policy) on the same webpage where we published this Policy or on such other webpage as we then may habitually use for publishing materials such as the Policy. We may also use the Service, email or other means for notifying customers of such policy changes. The revised Policy (or, as applicable, the new one) will be effective when posted as described unless the document itself specifies a later time for its entry into force.

Last updated: July 1st 2023

More legal documents

FOR JOB CANDIDATES

Toggl Careers Privacy Statement