This website uses cookies to ensure you get the best experience. More details here: Cookie Policy
Security Page

Security

Security and compliance are top priorities for Timbo because they are fundamental to your experience with the product. Timbo is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

Timbo uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

If you would like to report a vulnerability or have any security concerns with a Timbo product, please contact hello@timboretro.com.

PCI DSS

Timbo’s payment and card information is handled by Paddle, which is PCI DSS SAQ A Compliant. This means that Paddle does not directly store card information and is PCI Compliant for web transactions only. As a result, Timbo uses Paddle for software sales and cannot store, process and transmit cardholder data either physically or virtually.

GDPR compliance cyber security

General Data Protection Regulation (GDPR) is a European regulation to strengthen and unify the data protection of EU citizens. As of the 25th of May 2018, all companies worldwide that store and process data about EU citizens will be required to comply with GDPR.

Timbo is taking particular steps across the entire company to ensure that Timbo is GDPR compliant. We are collecting minimal personal identification information (PII) only for the purposes declared by Timbo. We reviewed our Terms of Use and Privacy Policy to comply with GDPR. We are also working on interfaces that will allow you to address your rights for accessing any personal data that might be stored in your Timbo account.

Infrastructure and Network Security

Physical Access Control

Timbo uses Amazon with Ireland data Center as a hosting provider. Amazon has certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2014. These certifications are performed by independent third-party auditors. Amazon’s compliance with these internationally-recognized standards and code of practice is evidence of its commitment to information security.

Logical Access Control

Timbo is the assigned administrator of its infrastructure on Amazon, and only designated authorized Timbo operations team members have access to configure the infrastructure. Specific private keys are required for individual servers, and keys are stored in secure and encrypted locations.

Penetration Testing

Timbo’s development team has rich experience in penetration testing and conducts internal security analysis before each serious release.

Timbo undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, Timbo provides the agency with an isolated clone of a test client Timbo instance and a high-level diagram of application architecture.

Business Continuity and Disaster Recovery

High Availability

Timbo is configured in a high-availability model and uses properly-provisioned, redundant servers (e.g., multiple containers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Timbo keeps regular hourly encrypted backups of data outside of the servers (dedicated file storage). While never expected, in the case of production data loss (i.e., primary data stores lost), Timbo will be able to restore data from these backups.

Disaster Recovery

In the event of a region-wide outage, Timbo has a plan to quickly bring up a duplicate environment on another hosting provider within the EU. The Timbo operations team has extensive experience performing secured migrations.

Data Security and Privacy

Data Encryption

All data in Timbo servers is automatically encrypted at rest. RSA 2048 is used for backup encryptions. All private keys are kept separately from the live environment.

So, if an intruder were ever able to access any of the physical storage devices, the Timbo data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Timbo uses only world-standard encryption algorithms:

  • AES 256 for symmetric encryption;

  • RSA 2048 for assymetric encryption;

  • SHA512+RSA2048 for digital signing of Timbo assets.

Data in Motion

All communications are restricted using only encrypted channels. Only TLS 1.0, 2.0, 3.0 and higher are allowed. The current level of SSL Configuration is A+.

Corporate Security

Malware Protection

Timbo believes that good security practices start with our own team, so Timbo goes out of its own way to protect against internal threats and local vulnerabilities. All company-provided workstations run antiviruses, strongly configured firewalls and other security features.

Risk Management

Timbo follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.

All Timbo product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Timbo’s operations team have secure shell (SSH) access to production servers.

Timbo performs testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.

Contingency Planning

The Timbo operations team includes service continuity and threat remediation among its top priorities. Timbo keeps a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

Disclosure Policy

Timbo follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Timbo notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.

Security Development Lifecycle

Security Development Lifecycle (SDLC) is a software development process that helps developers build more secure software and address security compliance requirements. Combining a holistic and practical approach, the SDLC introduces security and privacy early and throughout all phases of the development process.

The security of the development process is based on a proprietary version of the security development lifecycle process, based on the world's best practices.