Time Doctor Security and Compliance

Time Doctor Protects Your Data

We work towards improving our security every single day at Time Doctor. To do so properly, we follow the best security practices. These include:

  • Encrypted data transfer (HTTPS)
  • Email verification
  • A strong password management policy
  • Internal system logging
  • Network and overall infrastructure security
  • Physical security
  • Two-factor authentication (2fa)

External Audits and Security

At Time Doctor, we do our best to provide the best security to our customers. Because of that, we integrate and work with external companies that help us to carry out regular penetration testing, patching, and security audits to identify any possible issues and resolve them within a short period of time.

Time Doctor is working with an external penetration testing partner - NetSparker for regular weekly / monthly security scans and penetration testing which guarantees the highest possible level of security.

Backups and Reliability

Our backups are done on a daily basis, which guarantees consistency and a quick reaction from our side in case data restoration is needed.

Incident Management

In case of a data breach, we have a procedure in place that dictates how and when to make a responsible disclosure to the affected parties, with the first communication occurring within 72 hours of our becoming aware of the incident.

Software Development Security

Time Doctor uses a Git version control system. Changes to Time Doctor’s code base go through a suite of automated tests before being reviewed and sent through a round of manual testing. When code changes pass through the automated testing system, they are first pushed to a staging environment where timedoctor.com employees test the changes before they’re pushed to our production servers. Changes that are critical, due to security or for other reasons, are fast-tracked to production while still being tested thoroughly.

Confidentiality & Employee Access

We strictly regulate our employees’ access to the data you and your users store with timedoctor.com. Access is limited to those few employees who need it for troubleshooting or support.

No timedoctor.com employees ever access customer accounts unless required for troubleshooting or support. When working on a support issue, we do our best to respect your privacy as much as possible and only access the files and settings needed to resolve your issue.

Screenshot Security

Screenshots are an optional Time Doctor feature. If activated, the screenshots feature will take and store screenshots of your employees’ monitors at the time interval that you specify.

If you use the screenshots feature, you can rest assured that the screenshots and all other data are stored securely. All communication to the server is secured by SSL encryption. Files on the server are encrypted to provide an extra level of security for company data. The servers are located in secure enterprise data center facilities with 24/7 monitoring and hosting support.

Billing Information Protection

When you sign up for a paid account on Time Doctor, we do not store any of your credit card information.

All credit card transactions are processed using Stripe’s secure encryption, which is the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely on a PCI-compliant network.

ISO 27001 Certified

As part of our continued commitment to meeting and exceeding data security standard practices, Time Doctor is ISO 27001:2013 certified. We have taken this step to certify our product and services with an ISO 27001:2013 certification as a solid foundation for our Information Security Management System.

Paramount to ISO 27001:2013 is that we adhere to international best practices in every action and process as it relates to data privacy and the security of our information systems, chiefly customer data protection. With ISO 27001:2013 certification, we ensure that our information security systems adhere to international data privacy standards.

What is ISO 27001:2013 Certification?

ISO (International Organization for Standardization) 27001:2013 is a set of information security and privacy best practices regarding the management of customer data that adheres to the highest international data security standards. Importantly, ISO standards are the result of a consensus-driven process by experts from all over the world, pooling vast international experience and knowledge from all business sectors.

Data that falls under the risk management controls set in place by ISO 27001:2013 include financial information, intellectual property, a customer’s or employee’s details, or any personal information entrusted to us.

Our Information Security Management System

In accordance with ISO 27001:2013 standards, we actively:

  • Identify assets at potential risk and require data encryption
  • Ensure ongoing confidentiality, integrity, and availability of information through internal policies and controls
  • Address the importance of business continuity management using a set of controls to protect the availability of information and critical business processes from the effects of major disasters or incidents, ensuring timely resumption
  • Facilitate ongoing independent assessments and audits by accredited certification third parties and our appointed Data Protection Officer (DPO) to ensure that our ISMS is meeting ISO 27001:2013 requirements
  • Maintain a stringent and coherent access control framework, comprising of supporting policies, processes, and advanced technologies

Read more about how we manage data and keep information secure in our Privacy Policy and on our Security and Compliance page.

Our ISO 27001:2013 Certification

Click to view our ISO 27001:2013 Certification. You can go to www.rigcert.org/certification_check to check our certification status.


If you are located in the European Union, the General Data Protection Regulation (GDPR) provides you with the additional rights listed below.

Right of Access. You have the right to know what information we hold about you, including:

  • The specific pieces of personal information we have collected about you;
  • The categories of personal information we have collected about you;
  • The categories of sources from which the personal information is collected;
  • The business or commercial purpose for collecting your personal information;
  • The categories of third parties with whom we have shared your personal information;
  • The anticipated period of time for which your personal data will be stored; and
  • The existence of automated decision-making, including profiling.

Right to Correct. If you find out that your personal data is inaccurate or incomplete, you can request that we correct it.

Right to Restrict. You have the right to suspend our processing of your personal data if:

  • The accuracy of the personal data is contested;
  • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
  • Time Doctor no longer needs the personal data for the purposes of processing but is required to keep it for the establishment, exercise, or defense of legal claims; or
  • You have objected to processing pursuant to Article 21(1) of the GDPR, pending the verification of whether the legitimate grounds of the data controller override those of the data subject.

Right to report. You have the right to complain to a supervisory authority if you believe your privacy rights are being violated.

Other Rights. In certain instances, you may have the right to data portability (if our processing is based on consent and automated means), withdraw consent at any time (if processing is based on consent), object to processing (if processing is based on legitimate interests), object to processing of personal data for direct marketing purposes, and erasure of your personal data from our system (“right to be forgotten”) if certain grounds are met.

Response Timing and Format. We aim to respond to a consumer request for access, correction, restriction, or deletion within 30 days of receiving that request. If we require more time, we will inform you of the reason and extension period in writing.

To make a request under the GDPR or to exercise any other data rights under EU law, contact us via email at dpo@timedoctor.com. Please include your full name and email address along with why you are writing so that we can process your request in a timely manner.

Our EU representative may be reached by contacting:

Petrov Law Co.
38 Aleksander Stamboliiski Bul., Floor 1, Office 2
Sofia, Bulgaria 1000