Encryption at rest All data encrypted with AES-256. Database backups are encrypted with separate keys.
Encryption in transit All connections over TLS 1.2+. HSTS enforced on all endpoints.
Tenant isolation Each workspace runs in a dedicated schema. No shared tables between customers.
Audit logs Every admin action is logged with timestamp, actor, and IP address. Logs retained for 12 months.
Infrastructure
TimeLeaf's managed cloud runs on Microsoft Azure in the West Europe region (Netherlands). All customer data stays within the EU. Backups are stored in a geographically separate Azure region for disaster recovery.
Access controls
- Role-based access control (Admin, Manager, Employee)
- SSO via Microsoft 365 or Google Workspace. No passwords stored for SSO users.
- Session tokens expire after 8 hours of inactivity
- Support staff can only access a workspace with explicit admin consent, and all access is logged
Vulnerability disclosure
If you discover a security vulnerability, please email [email protected]. We aim to respond within 24 hours and resolve critical issues within 72 hours.
We do not pursue legal action against researchers who follow responsible disclosure practices.