Data security

Timefold is committed to your data privacy and security. This guide explains how we keep the data stored and processed in the Timefold Cloud Platform safe.

Access monitoring

Timefold ensures the network, infrastructure, and data access for Timefold Cloud Platform are secured and monitored. This includes continuous system monitoring for issues that might signal security concerns, strict access control measures based on the principle of least privilege, and robust log management where activities are logged and periodically reviewed.

Data backups

Critical tenant data is automatically backed up using MongoDB Atlas, with the following safeguards:

  • Backups are encrypted at rest.

  • Backup processes are automatically monitored for completion and exceptions, and anomalies are reported to the security team.

Data separation

The Timefold Cloud Platform is a multi-tenant environment. Data from different tenants is separated at the database level and application level, ensuring that information from one tenant is unavailable to other tenants.

Encryption-at-rest

Data is stored in encrypted format using AES-256 encryption, ensuring that sensitive information remains secure and protected from unauthorized access while at rest.

Encryption-in-transit

All data transmitted to and from the Timefold Cloud Platform is encrypted.

  • Protocols: HTTPS, SSL/TLS, and SSH are used to secure data in transit.

  • TLS details: Certificates use SHA-256 with ECDSA and EC 256-bit keys.

  • Certificate management: TLS certificates are issued and rotated automatically using Google Certificate Authority Service and Let’s Encrypt, managed with Kubernetes tools like cert-manager.

Physical security

Facilities hosting the Timefold Cloud Platform and hardware are managed mainly by GCP, which utilizes certified data centers. Physical access to these data centers is strictly controlled and monitored, with no Timefold employees granted physical access.

Network security

  • DDoS protection: All external traffic to Timefold is routed through Cloudflare, providing protection against denial-of-service (DDoS) attacks.

  • Firewalls:

    • All outbound and inbound traffic passes through firewall layers.

    • Public-facing services are protected by Google Cloud Firewalls and Cloudflare Web Application Firewall (WAF), defending against Layer 3–7 attacks, including SQL injection and buffer overflows.

    • Backend services are isolated in private subnets with no direct internet access.

  • Firewall management:

    • Firewall configurations are managed as code using Terraform.

    • Changes are made through peer-reviewed pull requests and are fully logged for auditability, ensuring traceability and consistency across environments.

  • Infrastructure architecture:

    • Public-facing APIs and SaaS frontends are hosted on Google Kubernetes Engine (GKE), behind Google Cloud Load Balancers.

    • Access to services is tightly controlled via firewall rules, identity-aware proxies, and ingress gateways.

    • Only essential endpoints are exposed publicly.

Vulnerability management

Timefold maintains a comprehensive vulnerability management program.

  • Tooling:

    • Aikido is used for vulnerability scanning and authenticated Dynamic Application Security Testing (DAST) on production systems.

    • GitHub is used for static code analysis and dependency scanning across repositories.

    • Vanta agent is installed on employee laptops to monitor device security posture, ensuring compliance with company policies and security standards.

  • Frequency: Vulnerability scans are automated and performed daily.