Effective date: October 2025
WorkTime is a privacy-first, non-invasive employee monitoring software trusted by organizations worldwide.
We take security seriously and are committed to maintaining the confidentiality, integrity, and availability of all customer and company data.
This page outlines the core principles and practices that guide our security program.
1. Purpose and scope
This Security Policy defines how WorkTime protects its systems, applications, and customer information.
It applies to all employees, contractors, and third-party service providers who have access to WorkTime systems or data.
2. Scope
This plan applies to all WorkTime employees, contractors, systems, applications, and third-party services involved in the processing or storage of company or customer data.
It covers all incidents related to information security, data privacy, and service continuity.
3. Objectives
Rapid detection and containment of security incidents.
Accurate assessment of scope and impact.
Timely communication with affected stakeholders and customers.
Full remediation and documentation of root causes.
Prevention of future incidents through continuous improvement.
4. Incident Definition
A security incident is any event that may compromise WorkTime’s information systems or data, including but not limited to:
Unauthorized access or disclosure of data.
Malware or ransomware infection.
Denial-of-service (DoS) attacks.
Loss or theft of equipment containing sensitive data.
Misconfiguration, data corruption, or accidental deletion.
Breach of privacy regulations (GDPR, HIPAA, GLBA).
5. Incident Response Lifecycle
5.1 Identification
Monitor systems, logs, and alerts for unusual or suspicious activity.
Receive reports from employees, customers, or third-party vendors.
Classify the event as a suspected or confirmed incident based on evidence.
5.2 Containment
Isolate affected systems to prevent lateral movement.
Disable compromised accounts or access credentials.
Preserve all relevant logs and forensic data.
5.3 Eradication
Remove malicious code, disable backdoors, and patch vulnerabilities.
Validate that systems are clean and safe to restore.
5.4 Recovery
Restore systems from clean backups.
Monitor restored systems for re-infection or abnormal behavior.
Verify that business functions are back to normal.
5.5 Notification and Communication
Notify executive management immediately after confirmation.
For incidents involving personal or customer data, notify affected customers within legally required timeframes.
If applicable, notify regulatory bodies (e.g., under GDPR or HIPAA breach rules).
All communications are reviewed and approved by the Security Officer and Legal.
5.6 Lessons Learned
Conduct a post-incident review within 7 business days of resolution.
Document root cause, impact, and corrective actions.
Update policies, controls, and training as needed.
7. Severity Classification
Incidents are classified as Critical, High, Medium, or Low based on impact and urgency, with response times ranging from immediate to one business day.
8. Evidence Preservation
All logs, alerts, and system images related to an incident are securely preserved for at least one year.
Access to this evidence is restricted to the Security Officer and authorized investigators.
9. Communication Channels
Internal reports via secure Slack channel #security-alerts and email security@worktime.com.
Customer notifications through official WorkTime communication channels and account contacts.
External communications only through the designated PR or Legal representative.
10. Review and Testing
This plan is reviewed annually and after any major incident.
Table-top and simulation tests are conducted at least once per year to validate readiness.
11. Compliance References
This plan supports compliance with:
SOC 2 Type II (Security, Availability, and Confidentiality)
GDPR Article 33 (Data Breach Notification)
HIPAA 164.308(a)(6) (Security Incident Procedures)
GLBA Safeguards Rule
WorkTime — Privacy-First, Secure, Non-Invasive Employee Monitoring
We safeguard your data as carefully as our own.
