Security Policy

At Clockify, we secure and protect the information of millions of users worldwide with transparency and 24/7 support.

Bug Bounty Program

We're under a 24/7 security audit performed by the people in the reward program.

Report vulnerability →

ISO/IEC 27001:2013

The most rigorous global security standard for Information Security Management Systems.

See certification →

SOC 2 Type II

Annual audit certification for Service Organization Controls Trust Services Principles.

Request report →

GDPR

Rules for the protection of personal data and privacy inside the European Union.

Data Safety

All Clockify data is hosted on Amazon Web Services (AWS). We take advantage of all the security and privacy features AWS provides, plus our team takes additional pro-active measures to maintain a secure infrastructure and make sure there are always multiple backups for infrastructure disaster recovery purposes (though we can't offer backup in case of user made errors on a per account basis). For more specific details regarding how AWS keeps data secure, please refer to https://aws.amazon.com/security/.

We don't publicize exactly what features, services, and data center we use for security reasons, but we can give you a brief overview of how we make sure your data is safe. We recommend you also review our Terms of Use and Privacy Policy.

Data Center Security

AWS maintains an impressive list of reports, certifications, and independent assessments to ensure complete and ongoing state-of-the-art data center security. They have many years of experience in designing, constructing, and operating large-scale data centers, which makes them the industry standard when it comes to security.

The exact physical location of the data center that stores Clockify's data is private. Only those within Amazon who have a legitimate business know the actual location of Amazon's data centers. Additionally, data centers are secured with a variety of physical controls to prevent unauthorized access.

Data Hosting

The main data location for Global Data Region is Frankfurt, Germany. But, we have caching mechanisms that enable fast data access in other parts of the world for performance purposes. This means data is NOT exclusively stored in Germany but across multiple servers across the world so everyone can quickly access Clockify no matter where they are.

If you wish to store your data exclusively in some region - EU (Germany), UK, USA or Australia - be sure to choose the right data region when creating an account.

Infrastructure Security

All Clockify servers are run from own virtual private clouds (VPCs), with rules that prevent unauthorized requests from entering our network.

Clockify infrastructure is hosted in a fully redundant, secure VPN environment, with access restricted to operations support staff only. This way we can leverage complete firewall protection, private IP addresses, and other security features.

The whole system on which Clockify runs is behind a firewall and only the necessary ports are open to the outside network. Also, only authorized personnel, using SSH keys, have access to the system. Access is enabled only over a VPN connection.

Application Security

All data to and from Clockify is sent securely over HTTPS. The initial connection is established over 2048 bit TLS, and the rest of the communication happens over 256 bit SSL. This is the standard technology for keeping an internet connection secure and prevents anyone from reading and modifying any information. Any data transferred between a user and Clockify is impossible to read or modify.

We use the same level of encryption as do banks and financial institutions. All data is encrypted using SHA256withRSA algorithms, which scramble data in transit, preventing hackers from reading it.

Your company-specific data inside Clockify is kept separate through a logical separation at the data tier, based on application-level access permissions and roles you set up in your workspaces.

All Clockify data is encrypted at rest. At-rest encryption means that all our databases, files, and other storages of content have their files encrypted when they're backed up or otherwise sitting idle. If someone was somehow able to get ahold of a backup of the database, it'd be useless, because they wouldn't have the key to decrypt it.

Operational Security

Our system is constantly monitored. We get reports in real time so we can instantly react in case a potential issue arises. All actions taken on production consoles are logged.

We constantly monitor security, performance, and availability 24/7/365. We run automated security testing on an ongoing basis. We prioritize, resolve, and deploy discovered security issues quickly after discovery. Because we follow Continuous Delivery and Deployment best practices, we can update Clockify on a daily basis and fix things as soon as we see them.

We never access your data in Clockify, unless required for support reasons and with your explicit permission.

Secure Personnel

CAKE.com Inc. takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.

— All CAKE.com Inc. contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
— Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
— We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.

Secure Development

— All development projects at CAKE.com Inc., including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
— All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
— All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
— Software development is conducted in line with OWASP Top 10 recommendations for web application security.

Secure Testing

CAKE.com Inc. deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.

— All new systems and services are scanned prior to being deployed to production.
— We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
— We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.

Cloud Security

CAKE.com Inc. Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture.

CAKE.com Inc. Cloud leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.

— All customer cloud environments and data are isolated using CAKE.com Inc.'s patented isolation approach. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
— All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained CAKE.com Inc. experts.
— We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
— Client's data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
— We implement role-based access controls and the principles of least privileged access, and review revoke access as needed.

Compliance

CAKE.com Inc. is committed to providing secure products and services to safely and easily manage billions of digital identities across the globe. Our external certifications provide independent assurance of CAKE.com Inc.'s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices CAKE.com Inc. has in place.

SOC 2 Type II

CAKE.com Inc. successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that CAKE.com Inc.'s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.

An unqualified opinion on a SOC 2 Type II audit report demonstrates to the CAKE.com Inc.'s current and future customers that they manage their data with the highest standard of security and compliance.

Our SOC 2 Type II report is available upon request. Please request the latest report through this form.

Timekeeping

Reporting

Planning

Budgeting

Billing

Payroll

Freelancers

Developers

Agencies

Consultants

Lawyers

Accountants

Startups

Construction

Free

Pro

Enterprise

Compare all plans

Timer

Timesheet

Kiosk

Calendar

Auto tracker

Reports

Rates

Projects

Activity

Location

Scheduling

Time off

Approval

Expenses

Invoicing

DESKTOP

Windows

Mac

Linux

WEB

Chrome

Firefox

Edge

MOBILE

Android

iOS

OUR OTHER PRODUCTS

Plaky

Pumble

Data Safety

Data Center Security

Data Hosting

Infrastructure Security

Application Security

Operational Security

Secure Personnel

Secure Development

Secure Testing

Cloud Security

Compliance

SOC 2 Type II