Our security architecture implements defense-in-depth principles with multiple layers of security controls protecting against evolving threat vectors. Both Minute7 and Hour Timesheet maintain independent but equally robust security architectures.

Infrastructure Foundation

Our platforms are hosted on major Cloud Service Providers (CSPs) with enterprise-grade infrastructure. We leverage Virtual Private Cloud (VPC) isolation, subnet segmentation, and multiple availability zones for redundancy and high availability. Our CSP infrastructure maintains compliance with:

• FedRAMP (Federal Risk and Authorization Management Program)
• ISO 27001, 27017, 27018 certifications
• SOC 1/2/3 attestations
• HIPAA compliance standards

Network Security

• Security Groups with strict firewall rules and access controls
• Web Application Firewall (WAF) protection against OWASP Top 10
• DDoS mitigation and protection services
• VPC and subnet isolation for network segmentation
• IAM roles and policies for service-level access control
• Secrets management using CSP Secrets Manager
• Regular security patching and vulnerability management

Application Security

• Secure Development Lifecycle with GitHub-based version control
• Mandatory peer code reviews before production deployment
• Continuous Integration/Continuous Deployment (CI/CD) pipelines
• Dependency scanning with Snyk and npm audit
• Input validation and parameterized queries
• Error monitoring with Datadog and Sentry
• OAuth 2.0 for accounting software integrations
• Stripe integration (PCI DSS Level 1 certified) for payment processing

We maintain active alignment with multiple regulatory frameworks and industry standards to meet the stringent requirements of our customers across government, healthcare, and enterprise sectors.

Security Frameworks

Government & Federal Compliance

Industry Standards & Certifications

Healthcare & Privacy Compliance

Encryption Standards

• Data in Transit: TLS 1.2 or higher encryption for all network communications
• Data at Rest: AES-256 encryption for all stored data
• Key Management: CSP-managed key management services with automatic rotation
• Database Encryption: Transparent data encryption at the database layer
• Backup Encryption: All backups encrypted using AES-256

Data Backup & Recovery

• Daily automated encrypted backups with 7-day retention
• Weekly backups for extended recovery options
• Monthly backups for long-term retention
• Recovery Point Objective (RPO): 24 hours
• Recovery Time Objective (RTO): Less than 4 hours
• Annual disaster recovery testing and validation
• Geographically distributed backup storage across multiple regions

Data Privacy & Isolation

We implement strict data privacy controls and isolation mechanisms:

• Logical Isolation: Each customer's data is logically isolated at the database level
• No Data Sharing: Customer data is never shared or resold to third parties
• Employee Access: No employee access to customer data without authorization, all access logged
• Data Minimization: Only necessary data collected for service provision
• Purpose Limitation: Data used solely for intended business purposes
• Audit Logging: Comprehensive logging of all data access and modifications

User Authentication

• Multi-Factor Authentication (MFA): Supported for enhanced account security
• Single Sign-On (SSO): SAML 2.0 support for enterprise identity providers
• OAuth 2.0: Secure integration with QuickBooks and other accounting platforms
• Password Policies: Enforced complexity requirements and rotation policies
• Session Management: Automatic timeout for inactive sessions
• Account Lockout: Protection against brute force attacks

Authorization & Access Control

• Role-Based Access Control (RBAC): Granular permission management by user role
• Principle of Least Privilege: Users granted only necessary access rights
• Quarterly Access Reviews: Regular audits of user access and permissions
• API Security: Token-based authentication with rate limiting
• IP Restrictions: Optional IP whitelisting for additional security
• Audit Trail: Complete logging of all administrative actions

Internal Access Management

Internal staff access to production systems follows strict security protocols:

• All administrative access logged and monitored
• Quarterly access reviews for all internal staff
• Immediate access revocation upon employee termination
• No direct database access without authorization and logging
• Segregation of duties for critical operations
• Background checks for personnel with production access

Continuous Monitoring

We maintain comprehensive monitoring across all layers of our infrastructure:

• Application Monitoring: Real-time performance and error tracking with Datadog and Sentry
• Infrastructure Monitoring: Cloud-native monitoring and alerting systems
• Security Monitoring: Continuous threat detection and vulnerability scanning
• Dependency Scanning: Automated scanning with Snyk and npm audit
• Log Aggregation: Centralized logging for security analysis
• Availability Monitoring: Uptime monitoring with immediate alerting

Incident Response Plan

Our Incident Response Plan (IRP) is reviewed annually and includes:

• 72-Hour Notification: Customer notification within 72 hours of confirmed incidents
• Incident Classification: Severity levels with defined response procedures
• Response Team: Dedicated incident response team with clear roles
• Communication Protocols: Established channels for internal and external communication
• Root Cause Analysis: Thorough investigation of all security incidents
• Post-Incident Reviews: Lessons learned and process improvements

Security Testing & Assessments

Regular security assessments ensure our defenses remain effective:

• Annual third-party penetration testing
• Continuous automated vulnerability scanning
• Quarterly internal security assessments
• Code security reviews during development
• Dependency vulnerability monitoring
• Annual review of security policies and procedures

Security Contacts

High Availability Architecture

• Multiple Availability Zones: Services distributed across geographically separate data centers
• Redundant Infrastructure: Elimination of single points of failure
• Auto-scaling Capabilities: Dynamic resource allocation based on demand
• Load Balancing: Intelligent traffic distribution for optimal performance
• Database Replication: Real-time data replication for failover capability

Disaster Recovery Specifications

Our disaster recovery plan is tested annually and maintains the following objectives:

• Recovery Time Objective (RTO): Less than 4 hours
• Recovery Point Objective (RPO): 24 hours maximum data loss
• Backup Strategy: Daily, weekly, and monthly backups with geographic distribution
• Annual DR Testing: Full disaster recovery exercises conducted yearly
• Incident Communication: Established protocols for stakeholder notification
• Business Impact Analysis: Regular assessment of critical systems and dependencies

Data Protection & Resilience

Multiple layers of protection ensure data durability and availability:

• Redundant storage across multiple geographic regions
• Automated backup verification and integrity checks
• Point-in-time recovery capabilities
• Immutable backup storage to prevent ransomware attacks
• Regular restoration drills to validate recovery procedures

Data Center Security

Our cloud service providers maintain world-class physical security:

• 24/7 security personnel and video surveillance
• Multi-factor authentication for facility access
• Environmental controls for temperature and humidity
• Fire detection and suppression systems
• Redundant power supplies and backup generators
• Regular third-party audits and certifications

Secure Development Practices

• Version Control: GitHub-based source code management
• Code Reviews: Mandatory peer review before production deployment
• CI/CD Pipeline: Automated testing and deployment processes
• Security Scanning: Automated vulnerability scanning in development
• Dependency Management: Regular updates and vulnerability patching
• Secure Coding Standards: OWASP guidelines and best practices

Vendor & Third-Party Management

• Security assessment of all critical vendors
• Contractual security and privacy requirements
• Regular review of vendor security posture
• Data processing agreements for data handlers
• Incident notification requirements

Employee Security Training

All personnel with access to customer data or production systems undergo:

• Security awareness training upon hire
• Annual security refresher training
• Phishing simulation exercises
• Incident reporting procedures
• Data handling and privacy training
• Signed confidentiality and acceptable use agreements