Timecounts is built for organizations that rely on trust. Volunteers, staff, and community members share important personal information, and it’s our responsibility to protect it. This article outlines the key security practices we use to safeguard your data across the Timecounts platform.
For detailed legal commitments, please refer to our Data Processing Agreement (DPA).
Our Approach to Security
We follow widely accepted security principles to ensure your data stays protected. This includes technical safeguards, secure development practices, and processes that limit access only to people who need it. Security is part of our product design from day one.
Data Encryption
In transit
All data sent between your browser and Timecounts is encrypted using HTTPS/TLS. This prevents unauthorized parties from intercepting your information.
At rest
Data stored in our databases and file storage systems is encrypted at rest using industry-standard encryption.
Access Controls
Only authorized team members can access systems containing personal data.
Administrative access is protected with strong authentication and limited to those who need it for support or maintenance.
Access is reviewed regularly and removed when no longer required.
Secure Infrastructure
Timecounts is hosted with reputable cloud providers who maintain high security standards, including physical security, network protection, redundancy, and certifications. We partner with trusted vendors for hosting, file storage, backups, communications, and operational tools.
A full list of our subprocessors is always available at:
https://timecounts.org/subprocessors
Monitoring and Logging
We actively monitor our systems for unusual activity and errors. This includes application and infrastructure monitoring, automated alerts, error detection tools, and audit logs for sensitive actions. Monitoring helps us respond quickly to issues and maintain service reliability.
Backups and Reliability
We perform regular encrypted backups to ensure data can be recovered in the event of an unexpected outage or failure. Our infrastructure is designed with redundancy, helping keep Timecounts available even if individual components encounter issues.
Vendor and Subprocessor Review
Before using any third-party service, we evaluate their security practices, privacy commitments, data protection terms, and compliance posture. We only work with vendors who meet our requirements.
Changes to our subprocessor list are posted with 30 days notice in line with our DPA.
Product and Code Security
We follow secure development practices including code reviews, regular updates and patching, dependency monitoring, and limited access to development environments. This reduces risk and ensures the platform remains stable and secure.
Incident Response
If a security incident or data breach is detected, Timecounts will notify affected customers without undue delay and provide information needed to meet regulatory requirements, including GDPR, UK GDPR, and PIPEDA.
Your Role in Security
Organizations using Timecounts play an important part in maintaining security. We recommend:
Limiting administrator accounts to those who need them
Using strong passwords
Reviewing access when staff changes
Keeping volunteer data up to date
Avoiding shared accounts across multiple users
Have Questions About Security?
We’re happy to help.
Contact our privacy and security team at [email protected]