Office Timeline Licensing, Policies and Statements
Free & Instant Editions
Office Timeline Add-in - Free Edition
Office Timeline Add-in Free is a basic timeline maker plugin for PowerPoint. Licenses are perpetually granted to any employee, individual or company who downloads and installs the software. It can be used for personal or business purposes. The Free Edition of the Office Timeline Add-in can be deployed centrally by any company or organization, and users can upgrade to the latest version at any time without charge. The license may be transferred and redistributed without restriction.
Office Timeline Online - Instant Edition
The Instant version of Office Timeline Online is an instant, limited online timeline maker that does not save any of the user’s data or timelines for future use.
Office Timeline Online - Free Edition
Office Timeline Online Free is a limited online timeline maker. Licenses are granted to any employee, individual or company who registers for a Free account. The tool can be used without restriction for any personal or business purposes. Office Timeline Online Free accounts must be accessed once every 90 days to remain active. Any user data created with an Office Timeline Online Free account will be deleted if the account remains idle for more than 90 days.
Office Timeline Add-in - Plus Edition
Office Timeline Add-in Plus is a rich, full-featured timeline maker add-in for PowerPoint. Each person who uses Office Timeline Plus Edition needs their own license, and a license can be deployed on two of the user’s devices. Licenses are sold in any quantity as an annual subscription, and the software reverts to Office Timeline Free Edition if the subscription is not renewed by expiration. After expiration, any work created with Office Timeline Plus Edition will be downgraded until the subscription is renewed.
Office Timeline Online - Plus Edition
Office Timeline Online Plus is a feature-rich, collaborative online PowerPoint timeline maker. Plus Edition licenses for Office Timeline Online are sold in any quantity as an annual subscription. Subscriptions grant each user an unrestricted license to access and use the application from multiple devices. Each user needs to have their own Office Timeline Online account, and accounts cannot be shared. Office Timeline Online Plus licenses revert to Free Edition if the subscription is not renewed by expiration. After expiration, any work created with Office Timeline Online Plus will be downgraded until the subscription is renewed. If the subscription is not renewed and the user does no log in to their account within 90 days after expiration, all work saved in the account will be deleted.
Can I transfer the Office Timeline Add-in to another user?
If a named user leaves the company, freeing up a Plus license key, companies may transfer that license key to another named user within the organization.
Can I transfer Office Timeline Online Plus to another user?
If an Office Timeline Online Plus user leaves the organization, freeing up a license, the designated license manager may reassign it to a different member of the team.
How does licensing work for Office Timeline Add-in Plus?
When you purchase the Plus Edition of the Office Timeline Add-in, you receive a unique Product Key set for the number of users you purchased it for. Download and install Office Timeline Free Edition from the Office Timeline website and use the Product key to activate the Plus edition. During this activation process, the software will automatically contact our Product Key Service, validate your license, and activate the premium features for the duration of your subscription period.
You will be notified prior to expiration when your license is nearing the end of its term. If the subscription is renewed prior to expiration, your Product Key will be extended for 1 year. If you choose not to renew the subscription, the premium features of the Office Timeline Plus will expire and the software will revert to Office Timeline Free Edition.
How does licensing work for Office Timeline Online Plus?
When you purchase an Office Timeline Online Plus Edition subscription, you are provisioned with a user account that can access the premium features of the application. Simply log in to Office Timeline Online and begin using the service. If you purchase Office Timeline Online Plus for multiple users, you will become a license manager or have the option to designate one at the time of purchase. The license administrators’ account will have the additional capability of assigning (and revoking) Office Timeline Online Plus to other users based on the number of licenses purchased. As the purchaser of the subscription, you can also revoke a designated license administrator and assign a new one.
All Office Timeline Online Plus license owners will be notified in advance of upcoming expiration dates, and subscriptions must be renewed to avoid service disruption. If a Plus subscription is not renewed, the premium features offered in Office Timeline Online Plus will no longer be available and the application will revert to Free Edition.
We offer uninterrupted access to the premium versions of Office Timeline Add-in and Online through an optional auto-renewal service which bills your account and renews your subscription. If auto-renewal is ON at the time your subscription expires, the auto-renew service will charge the annual subscription fee and your license will be extended for 1 year. Prior to automatically charging for any subscription renewal, you will receive three notifications requesting you to confirm your automatic renewal settings. You can change these settings at any time by logging in to your account.
Office Timeline End User License Agreement (EULA)
Agreement and License Grants
Thank you for choosing Office Timeline. This is a legal agreement between Office Timeline and the party that downloads, installs and/or uses the software provided by Office Timeline, each of whom accepts the terms of this agreement for herself, himself or itself. Office Timeline software is licensed and not sold, and the rights to use the software are set forth in this agreement. These license terms apply to the Office Timeline software application and any Office Timeline updates, supplements, Internet-based services, and support services.
Acceptance of these terms will constitute a legally binding agreement by and between Office Timeline and you, the licensee. According to the terms herein and/or your installation, use of the software also signifies your agreement to be legally bound by these terms and conditions. As described below, using some features also operates as your consent to the transmission of certain standard computer information for Internet-based services. If you do not accept this agreement or do not want to be bound by these terms, you should not install or use the software and you shall not have any licensee rights. If you comply with these license terms, you have the rights below.
The Software is protected by intellectual property laws. You are granted certain limited rights to install and use the Software. You acknowledge and agree not to use the software in a manner that violates any applicable law, regulation or this agreement.
Office Timeline Free Edition licenses are granted to individuals and businesses who install the software. Office Timeline Free Edition licenses may be used on personal and corporate computers. The Free Edition license has no run-time limitations and it can be installed on more than one machine.
Office Timeline Plus Edition licenses are granted to individuals or businesses who purchase the Plus version of the software. The licenses are granted per user and each user of Office Timeline must have a license. The software can be deployed centrally and distributed across an enterprise to licensed users. The license grants are not transferrable to any third party.
TERM. The term of this agreement is until January 1, 2030 or until Office Timeline changes the term, whichever comes first.
FEEDBACK. If you give feedback about the software to Office Timeline, you give to Office Timeline, without charge or conditions, the right to use, share and commercialize your feedback in any way and for any purpose, including future modifications of the software, other products or services, advertising or marketing materials. These rights survive this agreement.
SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Office Timeline reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not:
disclose the results of any benchmark tests of the software to any third party without Office Timeline’s prior written approval;
work around any technical limitations in the software;
reverse engineer, decompile or disassemble the software, except and only to the extent that applicable law expressly permits, despite this limitation;
make more copies of the software than specified in this agreement or allowed by applicable law, despite this limitation;
publish the software for others to copy;
rent, lease or lend the software;
remove any proprietary notices or labels;
transfer the software or this agreement to any third party.
EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use.
CONSENT TO TRANSMISSION OF DATA. Office Timeline may collect anonymous usage data of the application in a form that does not personally identify you. This data is transmitted to a secure web service running on the Microsoft Azure cloud computing platform over HTTPS and is limited to system information and data on how the application is set up and how the application is being used. Office Timeline uses this data in aggregate to optimize products and improve services. You can opt out of usage data at any time through the Office Timeline Settings menu by unchecking the Usage Data dialog box. System administrators can disable usage data with a registry key.
SUPPORT SERVICES. Because this software is “as is,” we may not provide support services for it.
ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.
United States. If you acquired the software in the United States, Washington State law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
Outside the United States. If you acquired the software in any other country, the laws of that country apply.
Forum Selection. The sole and exclusive venue for any lawsuit arising out of or relating to this agreement shall be the King County Superior Court of King County, Washington.
LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
DISCLAIMER OF WARRANTY. The software is licensed “as-is” and you bear the risk of using it. Office Timeline gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Office Timeline excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
You expressly understand and agree that you are responsible for implementing and maintaining anti-virus protections which meet your requirements and that Office Timeline will not be liable for any loss or damage caused by a virus or any other technologically harmful material that may infect your computer equipment, programs or data as a result of using the website or downloading any files from the website.
LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. You agree to hold Office Timeline harmless from any and all liability and claims arising out of your use of the software. You cannot recover any damages, including consequential, lost profits, special, indirect or incidental damages. This limitation applies to:
anything related to the software, services, content (including code) on third party Internet sites, or third party programs;
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law;
any claims arising from issues Office Timeline knew or should have known about the possibility of damages.
TERMINATION. This license will terminate automatically if you fail to comply with the limitations described above. On termination, you must destroy all copies of the Software.
Office Timeline Online Terms of Service
Office Timeline Online is an Office Timeline LLC brand. Before registering with Office Timeline Online , you must read and agree to these Terms of Service ("TOS"). By using Office Timeline Online (“the Service"), you agree to be bound by the TOS, and you agree that it is as binding as if it were a written negotiated agreement signed by Office Timeline, LLC ("Office Timeline") and you.
Office Timeline has the right to update and change the TOS from time to time without notice, and you agree to be bound by such modifications or revisions. Any new functionality or services that change or enhance the current Service shall be subject to these Terms of Service. If you continue to use the Service after any such changes, your continued use constitutes your affirmative agreement to such changes and your acknowledgment of their meaning. The applicable version of the Terms of Service can be viewed on this web page at any time.
Description of Service
Office Timeline Online is a web-based visual project planning and reporting application created by Office Timeline. Your use of the Service is at your sole risk. The service is provided on an AS-IS and AS-AVAILABLE basis.
You must be at least sixteen (16) years of age to use the Service. If you are over 16 years of age, but under the age of majority in your jurisdiction, you must obtain permission from a parent or guardian. You must provide current, accurate identification, contact, and other information that may be required as part of the registration process and/or continued use of the Service, including a valid e-mail address. Accounts registered by automated methods are not permitted. Each login may only be used by one person. You may grant other people permission to access to your projects by invitation, but they still need to create their own account for the Service. Each user is responsible and liable for maintaining the security of their login credentials and password. Office Timeline will not be liable for any loss or damage from failure to comply with this security obligation. Office Timeline reserves the right to refuse service to anyone at any time without notice for any reason.
You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright laws). You are responsible and liable for all content posted to the Service and any activity that occurs on your account, even when content is posted by - or activities being deployed by - others who have accounts associated with your account. Verbal, physical, written or other abuse (including threats of abuse or retribution) of any Office Timeline customer, employee, member, or officer will result in immediate account termination.
You are not allowed to modify, adapt or hack the Service or modify another website so as to falsely imply that it is associated with the Service or any other Office Timeline service. You agree not to reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without the express written permission by Office Timeline.
Office Timeline may, but has no obligation to, remove content and accounts containing content that we determine in our sole discretion are unlawful, offensive, threatening, libelous, defamatory, pornographic, obscene or otherwise objectionable or violate any party's intellectual property or these Terms of Service.
If your bandwidth usage exceeds 100 MB/month, or significantly exceeds the average bandwidth usage (as determined solely by Office Timeline) of other Office Timeline Online customers, we reserve the right to immediately disable your account or reduce the Service or its availability to you until you can reduce your bandwidth consumption.
The nature of the Service may result or require us to have access to the materials, information, and content you upload to the service. Office Timeline acknowledges that some or all of this information may be confidential in nature. By uploading this information to the Service, you agree that Office Timeline may have such access when necessary and appropriate.
Office Timeline will undertake reasonable and lawful measures to ensure that the information remains confidential. In particular, unless compelled by law, Office Timeline shall not directly or indirectly use, disclose, reveal, publish or cause to be disclosed any such confidential information to third parties.
Confidential information does not include information that at the time of disclosure was generally known to the public; after disclosure becomes generally known to the public through no fault of Office Timeline; or is already in the possession of the receiving party at the time of disclosure through some other source.
Office Timeline Online provides 256-bit SSL encryption from client to server. You understand that the technical processing and transmission of the Service, including your content, may be transferred over the “public” unencrypted and involve transmissions over various networks and changes to conform and adapt to technical requirements of connecting networks or devices.
Prices of the Service, including but not limited to annual subscription plan fees, are subject to change without prior notice. Such notice may be provided at any time by posting the changes to the Office Timeline website at www.officetimeline.com or within the Service itself, but Office Timeline is under no obligation to do so.
The Service is billed in advance on an annual basis and is refundable within 30 days of the purchase date. After the 30 days, no refunds will be made for premature cancellation of subscription. There will be no refunds or credits for partial months of service, or refunds for months unused with an open account.
If payment for a subscription has not reached the Service, the account will be suspended. Office Timeline will not be liable for any loss of content, capacity, features or external implications that result from said Suspension.
Cancellation and Termination
Each new Office Timeline Online Plus account will come with a 30-day satisfaction guarantee through which you will be allowed to cancel your annual subscription and receive a refund by replying to your invoice and requesting a refund or by emailing your request to sales at office timeline dot com. There will be no refunds when a user fails, for whatever reason, to cancel the subscription by the end of those 30 days and Office Timeline does not accept any liability for any resulting extra charges.
If you cancel after 30 days, no refunds will be issued and you will be able to continue to use Office Timeline Online until the annual subscription expires. You will not be charged thereafter. It is the user's responsibility to check that the subscription has been cancelled by logging into their account and validating the subscription’s billing settings. There is no cancellation fee.
All payments and payment information for Office Timeline Online services are handled by a third-party payment gateway. Office Timeline Online holds no credit card information of any users. All fees are exclusive of all taxes or duties imposed by governing authorities. You alone are responsible for payment of all such taxes or duties. Office Timeline shall not be liable to you or to any third party for any modification, price change, suspension or discontinuance of the Service.
Office Timeline, in its sole discretion, has the right to suspend or terminate any account and refuse any and all current or future use of the Service, or any other Office Timeline service, for any reason at any time. Such termination of the Service will result in the deactivation or deletion of your account and content or your access to your account and content, and the forfeiture and relinquishment of all content in your account.
Canceling your Office Timeline Online Plus subscription will revert it to an Office Timeline Online Free account. This means you will have limited access to any data or content, historic or otherwise, that was created by you with Office Timeline Online Plus. Office Timeline Online Free accounts are kept for a 3-month period, during which you can reactive your Office Timeline Online Plus account by making a successful payment. If an Office Timeline Online Free account remains inactive for longer than 3 months, its data (e.g. any saved timelines) will be deleted from the Service, and it will not be possible to recover that data. You understand and agree to this condition.
Office Timeline reserves the right to refuse service to anyone, for any reason, at any time. Office Timeline reserves the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Service (or any part thereof) with or without notice.
Violation of any of the terms contained within this TOS will result in the termination of your account. While Office Timeline prohibits conduct and content that violate its TOS, you understand and agree that Office Timeline cannot be responsible for all content posted on the Service and that you may be exposed to such materials.
Warranties and Liability
Office Timeline specifically does not warrant:
That the Service will meet any specific requirements including but not limited to yours;
That the Service will be uninterrupted, timely, secure, or error-free;
That the results that are obtained from the use of the Service will be accurate or reliable;
That the quality of any products, services, information, or other material purchased or obtained by you through the Service will meet your expectations;
That any errors in the Service will be corrected.
You expressly understand and agree that Office Timeline cannot and shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses (even if Office Timeline has been advised of the possibility of such damages), resulting from:
The use or the inability to use the service;
The cost of procurement of substitute goods and services resulting from any goods, data, information or services purchased or obtained through or from the service;
The unauthorized access to or alteration of your transmissions or data;
Statements or conduct of any third party on the service;
Or any other matter relating to the service.
You expressly understand and agree that you are responsible for implementing and maintaining anti-virus protections which meet your requirements and that Office Timeline will not be liable for any loss or damage caused by a virus or any other technologically harmful material that may infect your computer equipment, programs or data as a result of using the website or downloading any files from the website.
The failure of Office Timeline to exercise or enforce any right or provision of the Terms of Service shall not constitute a waiver of such right or provision or any other right or provision or term described in the terms of Service. The Terms of Service constitutes the entire agreement between you and Office Timeline and governs your use of the Service, superseding any prior agreements between you and Office Timeline (including, but not limited to, any prior versions of the Terms of Service).
Office Timeline LLC Privacy Statement
Protecting your personal data is and always has been at the core of everything we do. This privacy statement explains what personal data we collect from you and how we use that data.
Data We Need
Providing the services you expect requires that we collect a limited amount of personal data. We need this data to make our products work for you.
You provide some of this data directly to us when you purchase our software. For example, email addresses are required to create user accounts, activate subscriptions, purchase or renew licenses and for providing technical and sales support at your request. Names are used in our correspondences to update you when new releases are out or to notify you that your subscription is going to expire. Your company information is used to create invoices for billing purposes.
We also get some anonymous data by recording how you interact with our services. For example, cookies enable us to localize your settings and save those preferences. IP addresses provide geographical information that is used to help us comply with your country’s tax reporting and privacy regulations. Machine IDs are collected from customers who activate our desktop software so we can ensure licenses work correctly.
Secure and Protected Privacy
Privacy is important to us, and we are committed to securing your personal data and empowering your privacy. Our data protection and privacy strategy is built on a framework made up of these fundamental customer data protection pillars.
Limit data collection:
We believe that limiting the personal data we collect to the bare minimum is the very best thing we can do to protect your security and privacy. Our processes and systems have been designed to operate on a minimal amount of uniquely identifiable information, which significantly limits your privacy exposure.
Guard and protect:
Personal data is kept safe at all times. Our data protection strategy has been created to guard your data throughout its entire lifecycle. Because we limit the amount or personal information collected, we are able to easily manage it at all points with the strongest encryption security methods available.
Transparency and control:
We believe in giving you access to and control over your personal data, and we have built processes for updating or deleting data on demand. You can view or edit your personal data by logging into your account: https://www.officetimeline.com/login. You can also request a report of your personal data or request your personal data be deleted by emailing .
Secure credit cards:
When you choose to make a purchase, you can rest assured your credit card information is never handled or stored on our servers, nor do we have access to it. We believe your credit card information should be carefully managed, protected and secured by an industry expert and not by us. You can initiate a credit card deletion request from inside your account or by emailing .
The limited personal data we collect is used in a fair, legal, reasonable way as you would reasonably expect is needed to operate the service we offer. We do not use personal data for profiling purposes, nor do we sell or trade any of the personally identifiable data we collect.
Core Technology Vendors:
We share personal data with these vendors as necessary to deliver our services. For example, our products are built using Microsoft Azure’s cloud computing platform, and our credit card processing is managed by Stripe. In addition, we use Microsoft Office for email communications, and our communication engines are built on Sendgrid’s messaging platform. None of these vendors are allowed to use your personal data for any other purpose.
In addition to our Core Technology Vendors, we may use services from these technology partners. They are listed below, along with links to their privacy policies:
Intercom – provides you with a fast and simple channel to reach us whenever you have questions or need help;
Appzi – enables you to easily send us feedback and suggestions for improvement;
Zendesk - provides quick access to useful guides, resources and technical support;
If you have any questions about our licensing policies, privacy statement, or terms & conditions, please don’t hesitate to contact us at .
Office Timeline Security FAQ
Our business runs on our software. We depend on it to manage software development sprints, roadmaps, IT projects and for all cross-organization planning. We also use it to communicate with external teams, clients, executives and other important stakeholders. As such a heavy consumer of Office Timeline ourselves, we understand how important the security of our software is to our customers.
We have focused on implementing a holistic and comprehensive security discipline across all parts of our business. The following Security FAQ will provide information on how we practice security across our business. It will cover:
To help deliver the software and services our customers require, we work with a small group of trusted vendors. Each of these vendors – such as Stripe or Microsoft Azure – have been carefully selected for meeting a high-standard of security. Our Security FAQ does not address the security practices of these vendors. For a list of our trusted vendors and links to their security pages, please see our privacy statement.
Depending on the type of license they purchase, some Office Timeline users will set up user accounts. These users will set their password at registration from our website or inside the Office Timeline Online app, and they have several options to change it if needed:
Clicking the Forgot Password link at login. The system will email the user a reset link that will allow them to set a new password securely.
Changing it from their Account Settings page once logged in. To prevent unauthorized access, the user will need to re-enter the old password to be able to save the new one.
Contacting our support team. In this case, our support representative will initiate the reset and create a temporary password, which the user will be requested to change as soon as they sign in to their account.
Does the application enforce minimum password security requirements?
Yes. The password must have at least 6 characters and the user interface provides a strength meter that presents the reliability of their chosen password based on length and the character classes included. The password is encrypted in our database using 256-bit encryption.
Do sessions automatically timeout after a specified period of inactivity? If yes, how long is the session timeout?
Yes. Both on the main website and in the Office Timeline Online app, the session timeout is set at 60 days. If the user doesn’t access the site or the web app before this period expires, they will be automatically logged out of their account.
How is the traffic between clients and servers protected?
We use SSL/TLS for communication channel encryption, and we are protected against XSS (cross-site scripting) attacks. In addition, customer data & credit card data are validated in a Stripe plugin for an additional layer of security.
Do you maintain secure coding guidelines and conduct security code reviews on the source code?
Yes. Our technical security expert maintains the security coding standards, which are applied by developers, testers, and team leaders when uploading code on the repository. Every team receives ongoing training on security code policies.
How do you detect code security defects prior to production?
We have a testing process for the source code (including automated tests, unit and integration tests and automated source code analysis tools), which is used, reviewed and maintained constantly by our developers and security manager. This process gives testing requirements the same priority as functional requirements in development cycles, so we can quickly identify any risks early.
Do you protect against Cross-Site Scripting?
Yes. Our website uses the default mechanism from ASP.NET Core (anti-forgery token) against Cross-Site Scripting attacks. This mechanism is the safest method currently available for web applications.
Are your systems configured to log security-relevant events, such as authentication, data access, payments etc.?
Yes. We have a comprehensive internal audit system which logs all application events containing data related to users, orders, payments, invoices, emails, etc. These logs, along with errors, are saved, tracked and reported (on website and by email) via alerting and error tools from Kibana and Rollbar.
Does your website or online app require certain browser plugins to work correctly?
If any form of cryptography is used in your application, please describe the algorithms that are used.
We use the data protection code base package Microsoft.AspNetCore.Cryptography.KeyDerivation. It includes the default hashing algorithm from .NET Core (HMAC-SHA1, 128-bit salt, 256-bit subkey) which is to protect passwords, tokens, and other data in our system.
Does your Software as a Service use transport encryption?
Yes. Both the Office Timeline Online app and the main website are accessible over HTTPS, and the communication channel is encrypted with SSL/TLS, to provide high levels of integrity and confidentiality.
What type of events are logged and monitored?
We have defined and provisioned a suite of security related alerts that are triggered via Microsoft Azure’s monitoring service. For example, these events include website crashes, database availability, CPU/memory load threshold, or other services down alerts. Our administrators and security managers are notified by email and SMS whenever an alert is triggered.
Have you experienced a customer data breach in the past two years?
No. Our customer data has been safely protected since our company’s formation, and we are working hard to keep it safe.
Does your company use firewalls and/or network zoning to restrict traffic into and out of your network at strategic points?
Yes. We use Microsoft Azure's firewall services to control, log, filter and block traffic to our backend, and we have a process in place to ensure only authorized personnel can access it. We also utilize network zoning to provide an additional layer of security – where each edge component is in its own network, and the internal networks communicate through VPN, allowing only desired traffic through.
Is encryption protection in place for internal network traffic that potentially carries customer-sensitive information?
Yes. Customer-sensitive data and the application credentials, SSL certificates, and encryption keys are managed, stored, and transmitted securely through the Azure Management Portal in adherence to Azure Data Security and Encryption Best Practices. Additionally, access to the management portal is restricted and requires specific permission, which is logged and recorded in a secure manner.
Does your network have protections against ARP spoofing?
All our networks leverage Azure's advanced security services, which include protection against Man-in-the-middle attacks such as Address Resolution Protocol (ARP) and Flooding. As an additional layer of security, networks can only be accessed through user authentication with strong password requirements.
Who is your data center provider? Are they certified against a compliance theme? (e.g., TIA-942, ISO 27001, SSAE-16, etc.)
Our data center provider is Microsoft Azure, which meets a broad range of international and industry-specific compliance standards, from ISO27001, HIPAA, and FedRAMP, to SOC 1 and SOC 2. Rigorous third-party audits verify Azure's adherence to the strict security controls mandated by these standards. Azure's compliance reports are available on Microsoft's Service Trust Portal.
Do you sync data to a different environment other than the database?
Yes. We use Elasticsearch clusters to sync data for reports, to log emails sent by the system, and for internal data auditing purposes. In addition, we also use Kibana for logs and errors (please see our FAQ on logging security-relevant events).
Do you back up data?
Yes. All data is saved in the cloud and it is backed up every minute using Azure cloud back-up services. Our back-up and recovery architecture uses geo-redundant storage (RA-GRS) to ensure that the backups are preserved even if the data center is unavailable. Backups are automatically kept for 35 days.
Do you store backups on removable media or in off-site facilities?
Yes. We back up regularly and store these back-ups with Azure. Additionally, we regularly back up to removable media, which are stored at off-site facilities. All backup data is encrypted.
Do you have an auditable process in place for granting and revoking physical access to data centers?
Azure is composed of globally distributed datacenters that are strictly controlled to reduce risk of unauthorized users gaining physical access. We do not have physical access to them.
Do you have disaster recovery and business continuity procedures in place?
Yes. We have a business continuity and disaster recovery (BCDR) process that covers disaster recovery procedures and best practices to ensure business continuity. It addresses disruptions in the service we provide customers, to keep our applications running during unplanned downtimes. Additionally, it leverages Azure recovery services (auto-healing, auto-restart servers, machine replication, geo replication etc.) to ensure business recoverability during outages.
Is there a manual backup and restoration process?
Backups are done automatically through Azure and retained for 35 days. Additionally, we back up data offsite – these backups are automatic as well. As for restoration, this is done manually by authorized staff.
Do you have procedures in place for notifying clients when business disruptions occur?
Yes. Depending on the severity of the business disruption, we may send notifications explaining the issue and letting users know the impact, restoration times and any temporary alternative solutions. To ensure maximum visibility, such notifications may also be posted on all our social media channels.
Has your company ever experienced a major disruption (i.e. catastrophic natural disaster, fire, technology disruption, denial of service attack, material financial loss)?
Has your company selected an individual or team to be responsible for managing the information security and privacy program?
Yes. We have a dedicated security professional who oversees secure architecture and practices, and we have a technical security expert who is responsible for specific, code-related data and secure software development processes. Both receive ongoing information security training and stay current with the latest technologies, and threats, applicable to our applications.
Is there a Software Development Life Cycle (SDLC) process?
Our development and delivery process is based on the Agile methodology. We use Continuous Integration and Continuous Delivery for our build and release process to ensure that we can deploy changes quickly and in a sustainable way. Our teams work in iterations and cycle through processes of planning, design, development, testing and deployment, and tasks are adjusted as the situation demands. This practice allows us to detect problems early, reduce risks, and easily adapt to changes in requirements.
How are changes tested?
Development teams create unit and integration tests and also perform manual testing for code changes before deploying to a Development server. Then, the testers create and execute automated and manual tests on both the Development and Testing servers. When the testing teams certify and approve code changes, they are deployed to a Staging server and re-tested simulating a Live environment. The final phase is to swap Staging with Live and re-test in the Live environment.
How are they reviewed and approved?
We have a managed development process. When a developer has finished working on a task, that work is submitted for review and approval from a reviewer board. The code will be merged into the main branch (repository) only when the work is approved.
Is production data used for development and/or testing?
No, real customer data (emails, Stripe customer ID, etc.) is never used for development or testing. We have a mock database which is used for development and testing.
Do developers have access to deploy into production?
No. Once the testing team certifies and approves code changes, a small group of key DevOps staff follow a carefully managed methodology to deploy new code into production.
Do you use an automated source-code analysis tool to detect code security defects prior to production?
Yes, we use tools for automated source-code analysis. These tools are developer productivity extensions for Microsoft Visual Studio that provide continuous code analysis and immediate detection of errors and problems. Our development teams use them to find runtime and compiler errors, code smells, and redundancies as they code. They are also used to scan existing code to ensure compliance with the most current coding standards.
For more information about our security policies, please contact us at .