Security

Data Center Certifications

Time cockpit runs in ISO certified data centers in the European Union.

Time cockpit uses Microsoft's Azure Cloud Platform to provide its services. We deploy all our components to Azure’s European datacenters (Amsterdam and Dublin). The BSI Group certified Microsoft Azure datacenters based on the ISO/IEC standard 27001:2005. The certification covers the components Compute, Storage, Virtual Network and Virtual Machine Services. Currently the certification does not yet cover the relational database service of Microsoft Azure (SQL Database). The Microsoft Azure Trust Center contains detailed information about the compliance of Microsoft Azure with various compliance programs.

E.U. Data Protection Directive

Contracts regarding E.U. Data Protection Directive.

We are a volume licensing customer for Microsoft. Our contract with Microsoft regarding Azure contains commitments especially relevant for end customers in the European Union:

  • A Data Processing Agreement that details the compliance with the E.U. Data Protection Directive and related security requirements for Microsoft Azure core features within ISO/IEC 27001:2005 scope.
  • E.U. Model Contractual Clauses that provide additional contractual guarantees around transfers of personal data for Microsoft Azure core features within ISO/IEC 27001:2005 scope.

Relational Database Security

Database clusters, connection encryption, and firewalls

In the cloud time cockpit stores most of your data in relational database clusters. The only exception is your encrypted activity log. It is stored in blobs (read more about security for encrypted blobs ...). Please note that currently the relational databases in Microsoft Azure are not within the ISO/IEC 27001:2005 scope.

  • All our relational database servers in the cloud used by time cockpit are three-node failover clusters. In the case of hardware or failures in the underlying system software (operating system or RDBMS software), time cockpit is automatically redirected to a new cluster node. All cluster nodes are in the same datacenter facility. Backups for disaster recovery on datacenter-level are maintained by Microsoft.
  • Network traffic to and from the database layer is SSL encrypted in all cases (both when accessed from cloud-based servers and from on-premise computers). Key handling is provided by the Microsoft Azure Platform.
  • Database servers are protected by multiple layers of firewalls. The first layer provides an IP-based firewall. The second firewall layer (“gateway layer”) is a stateful firewall that understands SQL’s Tabular Data Stream (TDS) protocol. It protects the database against protocol attacks, brute-force password attacks, etc.

Activity Log in Encrypted Blobs

Geo-replicated store for encrypted activity log

Time cockpit stores your encrypted activity log in Microsoft Azure Blob Storage.

  • The Blob Storage service is covered by the ISO/IEC standard 27001:2005 certification of Microsoft Azure.
  • Data stored in the Blob Storage service is always stored on storage clusters (protection against server-level hardware failures).
  • All data stored in the Blob Storage service is geo-replicated in both datacenters inside the European Union (Dublin and Amsterdam; disaster protection).

Cloud-based Web Servers

Web farms, connection encryption, ISO certification

The compute facilities for time cockpit web servers are covered by the ISO/IEC standard 27001:2005 certification of Microsoft Azure. We designed time cockpit to support all security and accessibility functions of the Microsoft Azure Platform:

  • Operating system patches and service packs are automatically maintained by Microsoft.
  • All web servers are implemented as clusters (web farms).
  • Time cockpit is fully covered by the Azure Service Level Agreements provided by Microsoft.
  • Firewalls and network components are provided by the Azure Platform and maintained by Microsoft.
  • All web services and web sites of time cockpit are SSL secured.

Client Components

Digitally signed .NET assemblies

You install the time cockpit full client software using a standard-conform Windows Installer package (MSI package). It supports silent installation and automatic software deployment. All installation components (bootstrapper, MSI package) as well as all application assemblies are strong named and signed using a certificate.