Sesskey authentication for API access (Zapier, Salesforce, Microsoft Navision, TimeTonic internal API)

Login / Password

We prepare an SSO via OKTA at the request of a client.  We are not yet Google SSO compatible but this can be studied on request of course.

The password policy for free accounts is free. For corporate accounts, a minimum of 6 characters is required, including 1 lower case letter, 1 upper case letter and 1 number.

Passwords are hashed and salted and are therefore encrypted and cannot be recovered but only replaced.

The lifetime of the passwords is 1 year.

The accounts are nominative

Dual authentication is not yet available but is planned for business accounts for Q4 2021.

TimeTonic is a SaaS platform managed by Alwaysdata and hosted by Equinix in France.

Dedicated hosting is possible

All flows are done via ssl bank level encryption

Data and software are hosted on our own servers and are not shared with any other company.

A very fine and very strict management of access rights prohibits access to workspaces, columns, data lines on both the client and server sides.

Client files (pdf, word, emails, etc) are encrypted and stored on disk on spaces not accessible in http, only a link is generated, kept and used as a database.

The data is managed per work area called "notebook". Each notebook has its own databases and access to the notebook is managed by specific rights management.

Access by user or user group is possible, including by view, by row, by column - e.g. some people can see all the data but not the modification history, or others can have read-only access to one part of the data, write access to another part, and no access at all to another part.

Access to files is via anonymous long URLs generated and managed in a database and therefore totally unreferenced and unsearchable by search engines - no file is therefore directly accessible.

There are two types of URLs:
- One allowing free access to the owner of the URL
- The other always requiring a valid access right via TimeTonic login / password

The hardware and operational maintenance of TimeTonic servers is managed by Alwaysdata and the servers are physically hosted in Equinix datacenters in France.

SOC 2, PCI DSS, SOC 1 Type 2 (SSAE 18 replaces SSAE 16) certifications are therefore present.

Physical accesses in the datacenter are controlled by a security station, then by individual magnetic card and biometric readers.
See the video

We use internally an audit tool (OpenVAS) to scan our servers for vulnerabilities and tools (e.g. rkhunter) to check the integrity of critical files on a daily basis.

It is not possible to choose your datacenter.

The files are encrypted

Access to user databases by other users is impossible (except for data shared by the users themselves who have temporarily invited TimeTonic support members - themselves under strict NDAs - ) and only the CEO and CTO of TimeTonic have the administrator credentials of the servers which are modified at least twice a year. Even for the CEO and CTO we follow a strict policy of never accessing data without prior authorization from the customers.

A 30-day rolling backup of all databases and files is made daily, and a monthly backup is made and kept for 12 months.

The data belonging to the users are kept as long as the licenses are active and then archived for 1 year unless a request is made to delete an account.

The user identification data (name, login) is kept for the duration of the licence / collection period and is deleted when an account is deleted with final payment.

The backups are total and made daily at 4am with copies of the backups on separate servers.

Restoration can be total or partial and is done on request.

TimeTonic also allows to keep the history of all the modifications made by the users (who modified what, when, and what was the previous value) which, in addition to a very useful traceability to understand the changes made, allows, on demand, to go back in a very fine way without losing the changes made during the day since the last daily backup.

A ctrl-z (undo) is also available directly by users in spreadsheet view for changes made at the moment

Backup is done on demand and takes between 2h and 8h depending on the type of catering requested (except ctrl-z instantly restoring the previous data)

Except for the ctrl-z that can be done by the users themselves, the restoration requires the intervention of TimeTonic.

The intervention is invoiced according to the time spent (in proportion to the daily cost in force, currently 950€ / day).

A complete data recovery is tested every week

We use pingdom to test access to the service every minute with sms and email transmission to 3 people in case of unavailability.

We use newrelic to measure response times and the number of application and database queries.

We also use our own tools that send us an SMS in case of access error, repeated unauthorized access or request for a forgotten password.

Alwaysdata manages servers across multiple Equinix data centers and can restore service to other servers. We also have our pre-production servers that can be converted to production servers in 8 hours.

Procedures are not communicated

The source codes of the applications are not currently deposited but this can be put in place for contracts justifying such a request.

Observed availability rate above 99.95%.

Yes, each customer can create an unlimited number of notebooks, including pre-production.

We also have our own pre-production server.

SLA
- Pro licenses include the following service availability (online access)
- Guaranteed Response Time (GRT): 60mn (during support hours)
- GST (Guaranteed Service Repair Time): 2h (during support hours)
- Monthly guaranteed service availability: 99.5% (during support hours)
- Bug fix repair time is not guaranteed, but we will of course make all reasonable commercial efforts to fix the bugs.

Support
- Email and phone support is provided Monday through Friday during business hours (9:30 am to 6:30 pm CET). Support calls that take more than 15 minutes to process are charged on an hourly basis.
- If more than 8 hours of paid support are reached in a given month, a notification is sent to the customer asking if support should continue or not.
- Professional user licenses can also request on-site support currently in the Paris area. On-site support outside the Paris area will incur additional business, travel and processing costs.

Specifications, tests on developers' workstations, unit tests, functional tests, merge with master, tests on pre-prod server, release on production server and complete tests after 6pm, one click backwards if necessary.

Contact Alwaysdata in case of general access problems. Alwaysdata has an excellent service available also in case of emergency.

Direct access by CEO/CTO for log analysis / re-installation of previous versions/database

Admin training to be able to create or manage your own applications / business processes in total autonomy,

Professional services to assist in the design and creation of applications / business processes

Training / documentation for users

On-site or remote support

Data import help

Export help / data restitution

Specific developments

Interfaces with your existing tools (we have already created interfaces with MS Navision, Office, Google, Dropbox, and Salesforce in particular)

Export csv / xml for data, ZIP for files

Yes, the intervention is invoiced on a time basis (in proportion to the daily cost in force, currently 950€ / day).

It's possible

Yes, in France

All your data belongs to you and no one else has access to it unless you specifically request it or unless you ask for justice

You can request the return of your data and the destruction of all your data at any time