Security

All data stored on Everhour is safe, secure, and reliable. As a company that has been operating in the market since 2015, we take the security and reliability of our software very seriously and make it our top priority.


We keep your data safe

Everhour ensures that all accounts use SSL-encrypted connections, which provides the same level of security as online banks. This means that all sensitive information is never sent or received in plain text, ensuring complete privacy and security. In addition to this, Everhour employs industry-standard physical and remote security measures at our datacenter facilities to further enhance the security and reliability of our platform.

Your privacy is our focus

At Everhour, safeguarding the privacy of our customers' data is of utmost importance and is deeply ingrained in our company's core values. We take this responsibility very seriously and strive to ensure that our users' data is always kept secure and confidential. For detailed information on our privacy practices, please refer to our Privacy policy.

How we stay reliable

Everhour maintains an impressive uptime average of 99% and takes robust measures to safeguard user data. The data is protected by hardware RAID, which ensures redundancy over multiple data storage units. Additionally, we deploy critical servers with redundant power supplies and components in at least redundant pairs to ensure continuous availability of our services. Any system-related issues are immediately reported and updated in real-time on the Everhour Status page.

Our data retention policy

We take our role as custodian of your data extremely seriously. Backups occur every day and are replicated to, at least, 2 physical data centers. Upon deletion we delete customer data immediately from our databases. Database backups are retained for 30 days.

Our industry-standard practices

Everhour strictly adheres to industry-leading security practices and implements them into our systems and processes. We ensure that all inter-server and inter-data center communications are encrypted to protect the confidentiality and integrity of our users' data. Access to servers and customer data is meticulously controlled, and we maintain an immutable audit trail for support-related data access, providing an additional layer of security and accountability.

PCI-compliance

Everhour has a PCI-DSS Merchant Certificate, although we don’t store any payment information.

SOC 1,2

We rely on our server host’s audit, and they are SOC 2 compliant. The SOC 2 Audit report can be downloaded from their compliance reports manager site.

Audits, security policies and standards

We have internally built scrypts that monitor and automatically blocks suspicious activity. We also have alerts in place that escalates to our Ops team for manual security investigation. As for the antivirus and anti-malware usage we use AWS WAF with rules to block spam and xss activities.


Security FAQ

Where is my data stored?

Everhour hosts its software and stores data on AWS in two locations: Oregon (USA) and Frankfurt (Germany). The data is replicated across these two regions for redundancy purposes.

Is my data encrypted?

Everhour ensures that all data is encrypted in transit, with all connections using TLS 1.2 for secure communication. Passwords are stored hashed and salted, and backups are encrypted. Attachments and other file assets are stored at rest on Amazon S3.

Do you regularly update your systems?

Our security and operations teams adhere to the latest security standards and ensure that all systems are kept up-to-date. We also investigate any suspicious activity and address any security issues promptly, as security is one of our top priorities.

Do you keep logs, and if so, what is the retention policy?

Everhour maintains a central logging infrastructure and an internal activity log. Application logs that assist with Everhour support cases are retained for 7 days.

Are you PCI compliant?

Yes, Everhour has a PCI-DSS Merchant Certificate, even though we do not store any payment information.

Is customer data accessible to Everhour employees?

Everhour employees have restricted, logged, and monitored access to customers' data solely for troubleshooting purposes.

Do you use intrusion detection/prevention systems?

Everhour does not use commercial IDS/IPS solutions, but we have in-house alert systems in place for both our infrastructure and application logs. These systems are designed to detect suspicious activity and anomalies, and a member of our operations team is always available to address any potential issues.

Do you perform periodic risk assessments?

While we do not conduct specific formal periodic risk assessments, we have internal procedures for sensitive data transmission, retention periods, and data classification, which are periodically evaluated. We will also perform a risk assessment if a significant change to our service is planned.

How is identity and access managed?

Everhour supports sign-in via email/password and SSO. We also offer different access permissions within the account to manage access.

Do you support SSO/SAML?

Yes, we provide single sign-on via Google and a bunch of other tools.

What is your password policy?

To ensure password strength, we require a minimum length of 6 characters and provide a password strength estimator to assist users in choosing strong passwords.

What is your release cycle?

Our software is released frequently, with multiple deploys per week. Security patches for third-party libraries are applied as soon as they become available, and operating systems automatically apply all security patches as they become available.

Last but not least

Security is not just about technology — it’s about trust, and the 10,000+ businesses that use Everhour need to be confident that their data is secure so that they can focus on the work which matters most to their business. We've constantly improved our security during the last 8 years and we aim to maintain that trust to keep getting better.

Questions

If you have any questions or concerns about our security practices, please email us at ask@everhour.com