Skip to content
English
  • There are no suggestions because the search field is empty.

Overview of Time Doctor's Legal and Compliance Documentation

Note: Time Doctor's legal and compliance documentation is publicly accessible to all users and visitors. Account owners and administrators are encouraged to review these documents to ensure organizational compliance.

TL;DR: 

Time Doctor maintains twelve legal and compliance documents covering service terms, data privacy, security certifications, and messaging policies. These documents are publicly available on the Time Doctor website and collectively form the regulatory and contractual framework for all users of the platform.

 

Time Doctor (operated by Mystaff.com, LLC) maintains a dedicated legal and compliance section accessible via timedoctor.com/terms-of-service. The section comprises twelve interlinked documents covering contractual terms, data privacy, security certifications, and communication policies.

These documents are organized around four broad themes:

  • Core service agreements: Terms of Service and SLA
  • Data protection and privacy: Privacy Policy, Cookie Notice, Customer DPA, Sub-processors, Data Retention, and HIPAA
  • Security certifications: SOC2, ISO 27001 & ISO 27701, and Security & Compliance
  • Communication compliance: Messaging Services Policy

 

Core Service Agreements

Terms of Service

The Terms of Service is the foundational agreement between Time Doctor and its customers. It covers the software subscription license, customer responsibilities, usage restrictions, fee structures and payment terms, confidentiality obligations, intellectual property ownership, data protection responsibilities, indemnification, termination conditions, warranties, limitations of liability, government compliance, and general legal provisions. The agreement is governed by Texas law, and disputes are subject to arbitration in Travis County, Texas.

 

Service Level Agreement (SLA)

The Service Level Agreement (SLA) defines Time Doctor's uptime commitment of at least 99.0% per calendar month. Downtime is defined as a server-side user error rate exceeding 5%. Eligible customers may request Service Credits — up to a maximum of 15 days of service per calendar month — within 30 days of a qualifying event. Credits are not convertible to monetary compensation. Exclusions apply for force majeure events and third-party infrastructure failures outside Time Doctor's control.

 

Data Protection and Privacy

Privacy Policy

The Privacy Policy explains how Time Doctor collects, uses, and shares personal information across its platform. Time Doctor acts as both a data controller (for its own operational purposes) and a data processor (on behalf of its customers). The policy details the categories of data collected, the lawful bases for processing under GDPR/UK GDPR, how data is shared with third-party service providers, cross-border transfer mechanisms, data retention practices, and the rights of users across all regions — including California (CCPA), EU, and UK residents. Reach the Data Protection Officer at dpo@timedoctor.com.

 

Cookie Notice

The Cookie Notice describes Time Doctor's use of cookies and similar tracking technologies — including web beacons, pixels, and SDKs — on its websites and applications. Four types of cookies are used: necessary, performance, marketing, and statistics. Users may manage or reject non-essential cookies through the platform's cookie preference center or browser settings. Time Doctor does not respond to Do Not Track (DNT) signals at this time. Direct privacy questions to privacy@timedoctor.com.

 

 Customer Data Processing Addendum (DPA)

The Customer DPA is the legal instrument governing Time Doctor's processing of personal data on behalf of customers, incorporating Standard Contractual Clauses (SCCs) as required under GDPR and applicable data protection laws. The DPA has been pre-signed by Time Doctor. Complete the document with the legal entity name, address, and signatory information, then submit it to privacy@timedoctor.com to make it effective. A downloadable copy is available on the page.

 

Sub-processors

The Sub-processors page lists all third-party vendors with whom Time Doctor shares personal or sensitive data to operate and improve its services. All sub-processors are covered by GDPR-compliant data processing agreements. Vendors span payments (Stripe, Paddle, BrainTree), cloud hosting (AWS, GCP), analytics (Google Analytics, ChartMogul), marketing (Mailchimp, Facebook, Google AdWords), communications (Sparkpost, MailGun, SendGrid, AirCall), support (FreshDesk), sales tools (HubSpot, SalesLoft), and AI services (Anthropic), among others.

 

Data Retention

The Data Retention page sets out Time Doctor's approach to retaining and deleting customer data. Specific protocols vary depending on the type of customer account and the actions — or inaction — of the customer. A full Retention & Deletion Protocol document is available for download directly from the page.

 

HIPAA Compliance Policies

The HIPAA Compliance Policies page establishes Time Doctor's procedures for handling Protected Health Information (PHI) in compliance with the HIPAA Privacy Rule and Security Rule (§164.308(a)(1)). The full HIPAA Compliance Policy document is available for download from the page.

 

Security Certifications

SOC 2

The SOC 2 page describes Time Doctor's SOC 2 Type 2 compliance status, issued under the AICPA framework. SOC 2 Type 2 requires ongoing, independently audited controls over security, availability, processing integrity, confidentiality, and customer data privacy. Request the SOC 2 Type 2 report — available under a signed NDA — at security@timedoctor.com.

 

ISO 27001 & ISO 27701

The ISO 27001 & ISO 27701 page details Time Doctor's ISO/IEC 27001:2022 and ISO/IEC 27701:2019 certifications. ISO 27001 governs the Information Security Management System (ISMS) with controls for identifying at-risk assets, access control, business continuity, and regular independent audits. ISO 27701 extends this framework to privacy information management. Both certifications are verifiable at rigcert.org/certification_check.

 

Security and Compliance

The Security and Compliance page provides an overview of Time Doctor's security practices. Key measures include HTTPS/TLS encrypted data transfer, two-factor authentication, strong password policies, internal logging, physical security, and daily backups. External security is reinforced through regular penetration testing and audits. The page also covers employee data access controls, screenshot data security, incident management (with a 72-hour disclosure commitment in case of a data breach), and payment protection via Stripe's PCI-compliant network. Time Doctor holds both ISO 27001 and SOC 2 certifications.

 

Communication Compliance

Messaging Services Policy

The Messaging Services Policy governs Time Doctor's use of SMS and other messaging channels for service notifications, billing reminders, and operational alerts. Key provisions cover opt-in consent, opt-out instructions (reply STOP to any message, or email unsubscribe@timedoctor.com), message frequency (generally 1-5 messages per week), TCPA and CTIA compliance, data retention for messaging data, dispute resolution through binding individual arbitration, and eligibility requirements (users must be 18 or older). Direct support inquiries to support@timedoctor.com.

 

 

 

 

Should there be any inconsistencies or concerns regarding the article, contact support@timedoctor.com for prompt assistance.