Effective date: 12 September 2025
When you use our services, you are entrusting your data, which includes information about other individuals (personal data), into our care. It is one of our core duties to ensure that specific, robust, and verifiable measures are in place to protect the information processed when using Toggl Services.
We believe trust is earned by demonstrating competence. This Policy outlines the specific controls and processes you can expect from us, providing a basis for that trust.
We architect our systems for high availability and defense-in-depth. This means we implement layered defenses and tested recovery plans to ensure service continuity and data protection against a wide range of threats.
The main objective of this Policy is to define and communicate the tangible measures that ensure the three pillars of information security, known as the CIA triad:
To systematically manage security, Toggl maintains an Information Security Management System (ISMS) certified against the international standard ISO/IEC 27001:2022. This is not just a badge; it is a commitment to a continual cycle of risk assessment, implementation, monitoring, and improvement, audited annually by an independent third party. We adhere to the latest 2022 version of the standard because it directly addresses modern security challenges. It mandates specific controls for areas like Threat Intelligence, Cloud Security, and Secure Coding, reflecting the current technological landscape.
Toggl is committed to upholding the highest standards of data protection and privacy for our global customer base. We make every effort to ensure our practices are compliant with major international data protection laws. This includes, but is not limited to, the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). We value certifications as a clear benchmark of our security and privacy posture. In addition to our existing ISO 27001:2022 certification, we are actively pursuing other relevant attestations, such as SOC 2 Type 2, to provide further assurance to Customers.
Furthermore, we are fully aligned with the principles of the EU Data Act, which promotes fairness in the digital environment and empowers users with greater control over their data. For our customers, this means we are committed to ensuring you can easily access the data you generate through our Services, securely share it with other providers, and switch between services without technical or contractual barriers. This commitment supports a more competitive and innovative ecosystem where you remain in control of your information.
Organizational controls are the documented policies and formal processes that govern our entire security program. They translate our security philosophy into actionable rules and responsibilities, ensuring a consistent and auditable approach to risk management.
Hierarchy of Policies: We maintain a comprehensive set of security policies. They are supported by topic-specific policies (e.g., Acceptable Use Policy, Code of Conduct, Incident Management Policy or Software Development Life Cycle Policy) that provide detailed rules for specific domains. All policies are reviewed at least annually, or upon significant changes to the threat landscape or business and are approved by our Top Management.
Defined Security Roles: We have appointed an ISMS Officer with overall responsibility for the ISMS. Our security responsibilities are formally assigned across a multi-layered governance structure. The CEO, Supervisory Board, and the Management Team provide executive oversight. Strategic management of the ISMS is handled by the Information Security Governance Team. The technical execution and daily security operations are the responsibility of our SecOps (IT) team. We also assign specific roles, such as Asset Owners for key data and systems, who are accountable for classification, access rights, and risk assessments related to their assets.
Segregation of Duties: We enforce segregation of duties to prevent any single individual from having end-to-end control over a critical process. For example, the developer who writes code cannot be the one who approves its deployment to production. Similarly, a request for privileged access requires approval from a different individual than the one who implements it.
Comprehensive Asset Inventory: We maintain a central asset inventory that tracks all hardware, software, cloud services, and key data repositories. Each asset is assigned an owner, a classification level, and is linked to relevant risk assessments. The inventory is updated upon asset provisioning and decommissioning and is verified regularly.
Data Classification Scheme: We use a four-tier data classification scheme based on the impact of a confidentiality, integrity, or availability breach.
Rigorous Supplier Vetting: Before engaging any supplier that will handle data on our behalf, we conduct a due diligence process that includes a legal, privacy, and security review of their terms and policies or independent certifications (e.g., ISO 27001, SOC 2). Security requirements are then embedded into legally binding contracts.
Cloud Security Governance: We maintain a formal policy for the use of cloud services. This includes defining the shared responsibility model with our cloud provider, establishing secure configuration baselines for all our cloud resources and continuous monitoring for misconfigurations.
ICT Supply Chain Risk Management: We conduct a thorough security risk assessment of all potential suppliers prior to engagement and will not onboard those who present an unacceptably high risk. Following engagement, we continuously monitor and reassess supplier risk to ensure ongoing adherence to our security standards.
Actionable Threat Intelligence: We subscribe to multiple threat intelligence feeds. We process this intelligence to identify relevant threats, vulnerabilities, and attacker tactics. This information is used to update our firewall rules and to inform our risk assessments and security awareness training.
Independent Security Reviews: Our ISMS is subject to annual internal audits performed by a qualified independent team, as well as an annual external audit by an accredited certification body to maintain our ISO 27001 certification. We also commission independent penetration tests at least annually and after any major architectural changes.
Business Continuity and ICT Readiness: We maintain detailed Business Continuity and Disaster Recovery plans. Our infrastructure is designed for resilience, using multiple availability zones within our cloud provider. We conduct annual disaster recovery tests where we verify our Recovery Time Objectives and effectiveness of our Business Continuity and Disaster Recovery plans.
We recognize that security is a human endeavor. Our people controls are designed to ensure that our team members are screened, trained, and equipped to be a strong defense against security threats.
Contractual Obligations: All of our contracts include explicit clauses on information security responsibilities, a commitment to adhere to security policies, and a signed Non-Disclosure Agreement (NDA).
Formal Offboarding Process: Upon staff members’ departure, formal offboarding is executed. This includes the immediate revocation of all physical and logical access rights on their last day and a documented process for the return of all company assets.
Disciplinary Process: We have a formal, documented disciplinary process for security policy violations, with sanctions ranging from warnings to termination, depending on the severity and intent of the violation.
Security Training: All new hires undergo mandatory security awareness training during onboarding. All employees must complete annual refresher training. To complement this, we empower everyone with a dedicated professional development budget. Our staff can select training to enhance their competencies in their specific field, including specialized areas of information security relevant to their role.
Clear Incident Reporting Channels: We provide a simple, clearly communicated process for employees to report suspected security events or weaknesses, with a "no-blame" policy to encourage prompt reporting.
The operation of the Service may require certain staff members to access the systems we use for processing customer data (for example, to diagnose a problem you are experiencing). These staff members are prohibited from using their access permissions to view your data unless it is strictly necessary, and all such access is logged.
While our operations are primarily digital, and Toggl is a fully remote organisation, we enforce robust physical security controls at the data centers and offices of our providers to protect the underlying infrastructure.
Data Center Security: Our services are hosted in top-tier, ISO 27001- and SOC 2-certified data centers. These facilities feature multi-layered physical security, including 24/7 on-site security personnel, biometric access controls, video surveillance, and secure perimeter fencing.
Physical Security Monitoring: Our providers’ data centers are continuously monitored with interior and exterior video surveillance and intruder alarm systems. All access, including by authorized personnel, is logged and audited.
Environmental Protection: Data centers are equipped with redundant power (UPS and diesel generators), climate control systems to maintain optimal temperature and humidity, and advanced fire detection and suppression systems.
Clear Desk and Screen Policy: We enforce a policy requiring Toggl team members to lock their screens when away from their desks and to secure sensitive documents and removable media when working remotely.
Our technological controls are the specific hardware and software configurations that form the core of our defense-in-depth strategy. They are designed to prevent, detect, and respond to cyber threats, as well as to enforce the principle of least privilege, ensuring our team members and vendors have only the minimum access required, protected by strong authentication.
Service Authentication: Access to the Service, however accessed, requires all users to authenticate. Each user is assigned a unique identifier for this purpose.
Role-Based Access Control: Access is granted based on roles tied to job functions. Toggl team members always receive access appropriate to their duties.
Multi-Factor Authentication (MFA): MFA is mandatory for all critical remote access to our network, such as access to all cloud administration consoles.
Privileged Access Management: Access with administrative privileges is strictly controlled and every privileged session is recorded.
Access Reviews: Asset owners are required to review user access rights at least twice a year. Any access that is no longer required is immediately revoked.
End-to-End Encryption: We enforce strong encryption for all data, both in transit and at rest. Data in transit between you and our Service is encrypted using industry-standard TLS protocols (TLS 1.2 or higher), with AES-256 encryption and SHA-2 signatures as supported by the customer. Data at rest, including in our production databases, file storage, and backups, is encrypted at the storage level using AES-256 or AES-128. We continuously monitor the cryptographic landscape and upgrade cipher suites as needed.
Data Masking for Non-Production Environments: We do not use live customer data in our development or testing environments. Instead, we use data that has been anonymized or pseudonymized through appropriate masking techniques.
Data Leakage Prevention (DLP): We use DLP tools on our endpoints and network gateways. These tools are configured to detect and block the unauthorized exfiltration of data.
Network Perimeter Controls: Only a small number of production servers are accessible from the internet, and only those network protocols essential for delivering the Service are open at our perimeter. All changes to our production environment are restricted to authorized personnel via dedicated VPN access, and multi-factor authentication is enforced for all server access across our production environment.
Network Segmentation and Firewalls: We implement network segmentation to restrict and control access to environments where customer data is stored or processed. Segmentation is designed to limit the potential impact of unauthorised access and to enforce separation between systems based on sensitivity and function.
System Hardening and Configuration Management: We maintain documented, secure configuration standards for all our operating systems, databases, and network devices. We use automated tools to enforce these configurations.
Vulnerability Management: We perform authenticated vulnerability scans on our entire infrastructure weekly. Identified vulnerabilities are prioritized based on their score, and we adhere to strict SLAs for remediation.
Malware Protection: All servers and endpoints are protected with a next-generation antivirus and Endpoint Detection and Response solution.
Secure SDLC Framework: Our SDLC incorporates security at every stage, including threat modeling during design, secure code reviews, and both static and dynamic application security testing.
Secure Coding Standards: Our developers are trained on and required to follow secure coding standards based on industry best practices. We conduct mandatory peer reviews for all code changes before they are merged.
Separation of Environments: We maintain strict logical and access control separation between our development, testing, and production environments.
Availability: We understand that you rely on the Service to work, and are committed to ensuring high availability. The Service runs on fault-tolerant systems designed to withstand failures of individual servers and, where applicable, entire data centers. Organization Data are stored redundantly at multiple locations in our cloud provider’s data centers. Our operations team staffs an around-the-clock on-call rotation to resolve unexpected incidents quickly.
Centralized Logging and Monitoring: We collect detailed logs from all critical systems, applications, and network devices into a central security information and event management system. Our system is configured with correlation rules to automatically detect suspicious activity and generate real-time alerts for our security team.
Clock Synchronization: All systems are synchronized to a common, trusted time source using NTP. This is critical for accurate correlation of log data during incident investigations.
Backup and Recovery Testing: We perform automated backups of all customer data. Backups are encrypted and stored securely. Backups are automatically tested daily for integrity, and in addition, we perform full restore exercises periodically to validate that recovery processes work as intended.
We developed an incident response policy that helps contain, eradicate, and recover from security incidents, minimizing impact.
Formal Incident Response Plan: We maintain a formal incident response plan, covering the phases of preparation, detection & analysis, containment, eradication, and recovery. The plan includes specific procedures for different incident types (e.g., malware, data breach, denial-of-service).
Dedicated Incident Response Team: We have a designated team composed of trained personnel from security, IT, and legal, to manage incidents.
Post-Incident Analysis: After every significant incident, we conduct a formal post-mortem analysis to identify the root cause. The findings are documented in a "lessons learned" report, which is used to implement corrective actions and improve our security controls.
As an ISO 27001-certified business, we are committed to transparent and timely communication. In the event of a security incident affecting your data, we will notify you promptly. The method of notification will follow the provisions of our binding agreements with you (e.g., Terms of Service or DPA).
We also encourage our customers to be our partners in security. If you observe any unusual activity or suspect a security issue, please report it immediately to our Support Team at support[at]toggl.com.
The Services are hosted on Google Cloud Platform (GCP). The ICT infrastructure used for data processing is physically located in data centres in Iowa, United States, and is therefore subject to United States jurisdiction.
Our contractual relationship for cloud services is with Google Cloud EMEA Ltd., headquartered in Ireland. This means that, while the physical infrastructure is located in the United States, our cloud service contract is governed by EU law and the safeguards resulting from GDPR and the applicable transfer mechanisms. Toggl OÜ, incorporated in Estonia and subject to EU law, is the provider of the Services for our EU-based customers.
Toggl has adopted technical, organisational, and contractual measures designed to prevent unlawful international governmental access to or transfer of non-personal data held in the Union, where such access or transfer would create a conflict with Union or Member State law. These measures include:
This Policy is not a static document. It is part of a continuous cycle of improvement driven by our ISMS. Through regular risk assessments, internal and external audits, and analysis of security incidents, we constantly refine our controls to adapt to the evolving threat landscape.
We may revise this Policy from time to time to reflect changes to our services, applicable laws, or industry standards. We will post the revised Policy on this page and may notify customers via email or in-app notifications. The revised Policy will be effective when posted.
For questions about this policy, contact our security team at: legal[at]toggl.com.
Last updated: 12 September 2025