Security

Security you
can trust

We design TimeIn.one with secure defaults and enforce access controls on every request. Your data is protected by industry-standard practices.

HTTPS Encrypted
GDPR Ready
SOC 2 Type II
No Data Selling
Our Practices

How we protect your data

Security is built into every layer of TimeIn.one.

Authentication

Industry-standard authentication with multiple options.

  • Secure password hashing with scrypt (16-byte salt, 64-byte key)
  • Google OAuth with PKCE flow
  • Timing-safe credential comparisons
  • Session tokens with HMAC-SHA256 signing

Data Access Controls

Strict authorization on every request.

  • All data scoped by authenticated user ID
  • Server-side validation on every API call
  • View-only mode enforced server-side
  • Role-based access for team features

Encryption

Your data is encrypted at rest and in transit.

  • HTTPS/TLS for all data in transit
  • Database encryption at rest
  • Sensitive tokens encrypted locally
  • Secure key management practices

Session Security

Secure session management that protects your account.

  • HTTP-only cookies prevent XSS attacks
  • 7-day session TTL with automatic refresh
  • Secure and SameSite cookie attributes
  • Session invalidation on password change

Infrastructure

Modern, secure cloud infrastructure.

  • Hosted on Vercel with global CDN
  • PostgreSQL database with daily backups
  • Automatic security patches and updates
  • DDoS protection and rate limiting

Compliance

Built with privacy regulations in mind.

  • GDPR-compliant data handling
  • Data export and deletion on request
  • No data selling to third parties
  • Transparent data processing practices
Data Handling

Your data, your control

Transparency about what we collect and how we handle it.

What we collect

  • Account information (name, email)
  • Time tracking data (worklogs, projects)
  • Usage analytics (anonymized)
  • Integration tokens (encrypted)

Retention policy

  • Active accounts: data retained indefinitely
  • Deleted accounts: data removed within 30 days
  • Backups: retained for 90 days
  • Logs: retained for security analysis

Your rights

  • Access your data anytime
  • Export data in CSV/PDF formats
  • Request data deletion
  • Opt out of non-essential tracking
Read our full Privacy Policy

Found a security issue?

We take security seriously. If you discover a vulnerability, please report it responsibly and we'll work with you to resolve it quickly.

Report to security@timein.one

We aim to acknowledge reports within 24 hours and provide a resolution timeline within 72 hours.