Security & Compliance

Last updated: January 19, 2025

Our Commitment to Security

At Hines Time, security is our top priority. We implement industry-leading security practices to protect your data, ensure privacy, and maintain the highest standards of compliance. Your trust is earned through transparency and robust security measures.

Data Encryption
  • Encryption in Transit:

    All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS) with 256-bit encryption.

  • Encryption at Rest:

    All data stored in our databases is encrypted using AES-256 encryption.

  • Password Security:

    Passwords are hashed using bcrypt with salt, making them impossible to reverse-engineer.

Infrastructure Security
  • Cloud Infrastructure:

    Hosted on enterprise-grade cloud infrastructure with 99.9% uptime SLA.

  • Regular Backups:

    Automated daily backups with 30-day retention and point-in-time recovery.

  • DDoS Protection:

    Advanced DDoS mitigation and rate limiting to prevent abuse.

Access Control
  • Role-Based Access:

    Granular permissions for Admin, Supervisor, and User roles.

  • Two-Factor Authentication:

    Optional 2FA via Microsoft Authenticator with backup codes for account recovery.

  • Biometric Authentication:

    Secure passwordless sign-in with Face ID, Touch ID, or fingerprint using WebAuthn standard.

  • Session Management:

    Secure JWT tokens with automatic expiration and refresh mechanisms.

Monitoring & Auditing
  • Comprehensive Audit Logs:

    All actions are logged with timestamp, user, and details for compliance tracking.

  • Real-Time Monitoring:

    24/7 system monitoring with automated alerts for security incidents.

  • Time Entry Edits:

    Full audit trail of who edited time entries, when, and why.

Biometric Authentication (WebAuthn)

Hines Time supports passwordless biometric authentication using the WebAuthn standard. This allows you to sign in securely using your device's built-in biometric sensors without typing a password.

Supported Devices & Methods:

iPhone & iPad:

Face ID or Touch ID

Android Devices:

Fingerprint or Face Unlock

Mac Computers:

Touch ID

Windows Devices:

Windows Hello (Face, Fingerprint, PIN)

Security Benefits:

  • Phishing Resistant: Cannot be stolen or phished like passwords
  • No Password to Remember: Your face or fingerprint is your key
  • Device-Specific: Credentials are stored securely on your device only
  • Industry Standard: Uses W3C WebAuthn standard supported by major browsers

How to Enable:

  1. Go to Settings page
  2. Find the Biometric Authentication section
  3. Click Add Device
  4. Follow the prompts to enroll your biometric
  5. Use the "Sign in with Face ID / Touch ID" button on the login page
Compliance & Certifications

GDPR Compliance

We are fully compliant with the General Data Protection Regulation (GDPR) for European customers:

  • Right to access your data
  • Right to data portability
  • Right to be forgotten
  • Data processing agreements available

Industry Standards

We adhere to internationally recognized security standards:

  • OWASP Top 10 security practices
  • SOC 2 Type II compliant infrastructure
  • PCI DSS compliant payments (via Stripe)
  • ISO 27001 aligned practices
Data Protection Measures

Multi-Tenant Data Isolation

Each company's data is completely isolated in the database. Company A cannot access Company B's data under any circumstances. All queries are filtered by company_id to ensure strict data segregation.

GPS Location Data

Location data is collected only with user consent and browser permission. It is used solely for job site verification and payroll accuracy. Location data is only accessible to company administrators and supervisors for legitimate business purposes.

Photo & Document Storage

Job photos and toolbox PDFs are stored securely on our servers with access restricted to authorized users within the company. Files are scanned for malware and validated for type/size before storage.

Payment Information

We never store your credit card information. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We only store a secure token for subscription management.

Security Practices

Application Security

  • • Input validation on all forms
  • • SQL injection prevention
  • • XSS attack protection
  • • CSRF token validation
  • • Secure session management
  • • Rate limiting on API endpoints

Network Security

  • • Firewall protection
  • • Intrusion detection systems
  • • DDoS mitigation
  • • Network segmentation
  • • VPN access for admin operations
  • • Regular security patches

Operational Security

  • • Employee background checks
  • • Security awareness training
  • • Principle of least privilege
  • • Regular security audits
  • • Incident response plan
  • • Disaster recovery procedures
Incident Response

In the unlikely event of a security incident, we have a comprehensive response plan:

  1. 1.
    Immediate Detection: Automated monitoring systems detect and alert our team 24/7
  2. 2.
    Rapid Response: Security team responds within 15 minutes to contain and investigate
  3. 3.
    Customer Notification: Affected customers notified within 72 hours as required by GDPR
  4. 4.
    Resolution & Prevention: Root cause analysis and implementation of preventive measures
  5. 5.
    Transparency: Post-incident report shared with affected parties
Responsible Disclosure

We welcome security researchers and users to report potential vulnerabilities responsibly.

Report a Security Issue:

If you discover a security vulnerability, please email us at:

security@hinestime.com

Please include: Description of the vulnerability, steps to reproduce, potential impact, and your contact information. We commit to responding within 48 hours.

Third-Party Service Security

We carefully select third-party services that meet our security standards:

Stripe (Payment Processing)

PCI DSS Level 1 certified, SOC 2 Type II compliant, handles billions in transactions annually

AWS (Email & SMS)

AWS SES and SNS for notifications, ISO 27001 certified, GDPR compliant

OpenStreetMap (Geocoding)

Open-source mapping, privacy-focused, no tracking cookies, GDPR compliant

Security Best Practices for Users

Help us keep your account secure:

  • Use a strong, unique password (minimum 8 characters)
  • Enable Two-Factor Authentication
  • Never share your login credentials
  • Log out on shared devices
  • Keep your authenticator app secure
  • Report suspicious activity immediately

Have Security Questions?

Our security team is here to help. Contact us for security inquiries, vulnerability reports, or to request our security whitepaper.

Security Team: security@hinestime.com

General Support: support@hinestime.com

Expected response time: Within 48 hours for security issues, 24 hours for critical vulnerabilities

    Made with Emergent