Security policy - WorkTime

Effective date: October 2025 WorkTime is a privacy-first, non-invasive employee monitoring software trusted by organizations worldwide. We take security seriously and are committed to maintaining the confidentiality, integrity, and availability of all customer and company data. This page outlines the core principles and practices that guide our security program.


1. Purpose and scope

This Security Policy defines how WorkTime protects its systems, applications, and customer information. It applies to all employees, contractors, and third-party service providers who have access to WorkTime systems or data.

2. Scope

This plan applies to all WorkTime employees, contractors, systems, applications, and third-party services involved in the processing or storage of company or customer data. It covers all incidents related to information security, data privacy, and service continuity.

3. Objectives

Rapid detection and containment of security incidents. Accurate assessment of scope and impact. Timely communication with affected stakeholders and customers. Full remediation and documentation of root causes. Prevention of future incidents through continuous improvement.

4. Incident Definition

A security incident is any event that may compromise WorkTime’s information systems or data, including but not limited to: Unauthorized access or disclosure of data. Malware or ransomware infection. Denial-of-service (DoS) attacks. Loss or theft of equipment containing sensitive data. Misconfiguration, data corruption, or accidental deletion. Breach of privacy regulations (GDPR, HIPAA, GLBA).

5. Incident Response Lifecycle

5.1 Identification

Monitor systems, logs, and alerts for unusual or suspicious activity. Receive reports from employees, customers, or third-party vendors. Classify the event as suspected or confirmed incident based on evidence.

5.2 Containment

Isolate affected systems to prevent lateral movement. Disable compromised accounts or access credentials. Preserve all relevant logs and forensic data.

5.3 Eradication

Remove malicious code, disable backdoors, and patch vulnerabilities. Validate that systems are clean and safe to restore.

5.4 Recovery

Restore systems from clean backups. Monitor restored systems for re-infection or abnormal behavior. Verify that business functions are back to normal.

5.5 Notification and Communication

Notify executive management immediately after confirmation. For incidents involving personal or customer data, notify affected customers within legally required timeframes. If applicable, notify regulatory bodies (e.g., under GDPR or HIPAA breach rules). All communications are reviewed and approved by the Security Officer and Legal.

5.6 Lessons Learned

Conduct a post-incident review within 7 business days of resolution. Document root cause, impact, and corrective actions. Update policies, controls, and training as needed.

7. Severity Classification

Incidents are classified as Critical, High, Medium, or Low based on impact and urgency, with response times ranging from immediate to one business day.

8. Evidence Preservation

All logs, alerts, and system images related to an incident are securely preserved for at least one year. Access to this evidence is restricted to the Security Officer and authorized investigators.

9. Communication Channels

Internal reports via secure Slack channel #security-alerts and email security@worktime.com. Customer notifications through official WorkTime communication channels and account contacts. External communications only through the designated PR or Legal representative.

10. Review and Testing

This plan is reviewed annually and after any major incident. Table-top and simulation tests are conducted at least once per year to validate readiness.

11. Compliance References

This plan supports compliance with: SOC 2 Type II (Security, Availability, and Confidentiality) GDPR Article 33 (Data Breach Notification) HIPAA 164.308(a)(6) (Security Incident Procedures) GLBA Safeguards Rule

WorkTime — Privacy-First, Secure, Non-Invasive Employee Monitoring

We safeguard your data as carefully as our own.