ISAE 3000

Intempus ISAE 3000 TYPE 2 declaration

The General Data Protection Regulation (GDPR), or in Danish “Databeskyttelsesforordningen”, is the name of the EU’s personal data legislation. GDPR aims to protect EU citizens from misuse of their personal data. Therefore, since May 25, 2018, all European companies must have tightened their processes for how personal data is collected and processed securely. Intempus has the following certifications:’

  • ISEA 3000 declaration
  • ISEA 3000 TYPE 2 declaration

Intempus APS statement

Intempus ApS handles the processing of personal data in connection with the Intempus time registration platform for our customers who are data controllers in accordance with the Regulation of the European Parliament and the Council on the protection of persons in connection with the processing of personal data and on the free exchange of such information (data protection regulation) and law on supplementary provisions to the data protection regulation (data protection act). The accompanying description has been prepared for the use of the data controllers who have used Intempus’ time registration platform and who have a sufficient understanding to assess the description together with other information, including the technical and organizational security measures and other checks that the data controllers themselves have carried out, when assessing whether the requirements of the Data Protection Regulation and the Data Protection Act have been complied with.

Intempus ApS uses sub-data processors. The relevant control measures and associated technical and organizational security measures and other controls of these sub-processors are not included in the accompanying description. Intempus ApS confirms that the accompanying description in section 3 provides a fair description of the Intempus time registration platform and the associated technical and organizational security measures and other controls per 15 November 2021.

Contact us to receive the full ISAE 3000 TYPE 2 declaration

Questions & answers

FAQ om data processing & privacy

How does Intempus back up customer data?

Intempus performs backup of data using two independent backup systems. Each backup system sends backups to two different storage locations for a total of four separate backup locations.

A daily full backup is created using the pg_dump tool. These backups are stored on two different servers for 12 months. Once per week we restore one of these backups to a test system to ensure we always have good backups.

Continuous backups are created using the barman tool. This ensures new data is backed up within a few minutes of being created. These backups are stored on two different servers for 2-3 weeks. Barman monitors that the required backups are present and alerts us if backups are not being performed.

How does Intempus protect user passwords?

Passwords are stored in our database using an iterated salted hash algorithm. This means that even Intempus system administors cannot read your password from the database. The algorithm being used is known as PBKDF2-SHA256.

Intempus performs a calculation of the complexity of passwords entered by users. This is known as an entropy estimate. The calculation makes use of a third party database of passwords previously leaked from other systems. That database is named Have I Been Pwned. Intempus use the offline version of the database in order to protect against potential leaks through the HIBP API.

Each Intempus customer can choose a minimum password strength for their users. Intempus will enforce this policy when a user updates their password. The calculated entropy will not be stored by Intempus after the validation has been performed.

To protect against brute force attacks and credential stuffing Intempus will enforce a global rate limit on invalid login attempts. When the limit is exceeded the client IP address is temporarily blocked by Intempus. If necessary a range of multiple IP addresses will be blocked. The decision to block based on IP addresses was made because this is more accurate than blocking based on usernames.

Does Intempus support single-sign-on?

Intempus has support for Microsoft SSO. A customer using SSO can choose to either require their users to use SSO or to give users a choice between SSO and password logins.

How does Intempus encrypt customer data?

Communication between Intempus and users is encrypted using transport layer security (TLS). Customer data exchanged between different parts of Intempus is encrypted using either TLS or SSH.

The storage server used by our database is encrypted by the hosting provider transparent to Intempus.

Which certifications does Intempus have?

Intempus has a ISAE 3000 type 2 certification.

Cookie settings

We use cookies

We use cookies and similar technologies to give you a personalised shopping experience, personalised advertising and to analyse our web traffic. Click ‘Accept all and close’ if you’d like to allow all cookies. Alternatively, you can choose which types of cookies you’d like to accept or disable by clicking Customize below. In accordance with the requirements of Googles Business Data Responsibility Site, we ensure transparency and your control over your data.
Cookie and Privacy Policy

Cookie preferences

This tool assists you in selecting and disabling various tags, trackers, and analytical tools utilized on this website.

Back

Description of service

Content management system for building websites and blogs.

Processing companies

Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, United States of America

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
privacy@wordpress.com

Purpose of data

This list represents the purposes of data collection and processing.
AuthenticationUser PreferencesCommenting FunctionalityLanguage Settings

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Cookies

Collected data

This list represents all (personal) data collected by or through the use of this service.
Authentication detailsUser preferencesUser comments dataLanguage settings

Legal basis

In the following, the required legal basis for processing data is stated.
Consent under GDPR

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* Session to 1 year

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

wordpress_[hash] Stores authentication details. Limited to the Administration Screen area.
Type First-party
Duration Session
wordpress_logged_in_[hash] Indicates when you're logged in, and who you are.
Type First-party
Duration Session
wp-settings-{time}-[UID] Used to customize your view of the admin interface and possibly the main site interface.
Type First-party
Duration 1 year
comment_author_{HASH} Stores commenter's name to avoid retyping it.
Type First-party
Duration 1 year
comment_author_email_{HASH} Stores commenter's email address to avoid retyping it.
Type First-party
Duration 1 year
comment_author_url_{HASH} Stores commenter's URL to avoid retyping it.
Type First-party
Duration 1 year
wordpress_test_cookie Tests if cookies can be set.
Type First-party
Duration Session
wp_lang Stores the language key of the selected language.
Type First-party
Duration Session
History
Decision Date
Not set yet

Description of service

This service enables users to measure traffic and engagement across their websites and mobile apps using customized reports.

Processing companies

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
[Your contact email]

Purpose of data

This list represents the purposes of data collection and processing.
Website AnalyticsUser TrackingData Analysis

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Tracking codeCookies

Collected data

This list represents all (personal) data collected by or through the use of this service.
Device informationGeographic locationBrowser informationDevice operating systemScreen resolutionReferrer URLUser interaction dataDate and time of visitUser behaviorPages visitedOnline identifiersTruncated IP addressUser IDAd identifier

Legal basis

In the following, the required legal basis for processing data is stated.
Article 6(1)(a) of the General Data Protection Regulation (GDPR)

Place of treatment

This is the primary place where the collected data is processed. If the data is also processed in other countries, you will be informed separately.
* The European Union

Transfer to third countries

This service may forward the collected data to another country. Note that this service may transfer data to a country without the required data protection standards. Below you can find a list of the countries to which the data is transferred. You can get more information about security measures in the provider's privacy policy or by contacting the provider directly.
USASingaporeChileTaiwan

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* The retention period depends on the type of data stored. Customers can choose how long Google Analytics retains data before it is automatically deleted. The maximum retention period is 14 months.

Click here to read the data processor's cookie policy

https://policies.google.com/technologies/cookies?hl=en

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

_ga Used to distinguish users.
Type cookie
Duration 2 years
_ga_ Used to persist session state.
Type cookie
Duration 2 years
History
Decision Date
Not set yet

Description of service

This is a web analytics service. It enables users to measure the return on investment (ROI) from advertising and to track user behavior across flash, video, websites, and applications.

Processing companies

Google Ireland Limited Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Irland

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
https://support.google.com/policies/contact/general_privacy_form

Purpose of data

This list represents the purposes of data collection and processing.
Website AnalyticsUser TrackingData Analysis

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Cookies, Pixel, Javascript

Collected data

This list represents all (personal) data collected by or through the use of this service.
Click pathDate and time of visitDevice informationLocation informationIP addressPages visitedReferrer URLBrowser informationHost nameBrowser languageBrowser typeScreen resolutionDevice operating systemUser interaction dataUser behaviorVisited URLCookie ID

Legal basis

In the following, the required legal basis for processing data is stated.
Consent under GDPR

Place of treatment

This is the primary place where the collected data is processed. If the data is also processed in other countries, you will be informed separately.
* The European Union

Transfer to third countries

This service may forward the collected data to another country. Note that this service may transfer data to a country without the required data protection standards. Below you can find a list of the countries to which the data is transferred. You can get more information about security measures in the provider's privacy policy or by contacting the provider directly.
USASingaporeChileTaiwan

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* The retention period depends on the type of stored data. Each user can choose how long Google Analytics retains data before it is automatically deleted.

Click here to read the data processor's cookie policy

https://policies.google.com/technologies/cookies?hl=en

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

_utmb This cookie is used to track the visit time.
Type cookie
Duration Session
_ga This cookie is used to distinguish users.
Type cookie
Duration 2 years
_gid This cookie is used to identify the user.
Type cookie
Duration 1 day
__utma This cookie is used to record the time and date of the first visit, the total number of visits, and the start time of the current visit.
Type cookie
Duration Session
__utmz This cookie is used to record where the visitor came from.
Type cookie
Duration Session
IDE Used to display personalized ads.
Type cookie
Duration 1 year, 1 month
CONSENT Used to store the user's consent choices.
Type cookie
Duration 2 years
__utmt Used to throttle request rate.
Type cookie
Duration 10 minutes
_gat Used to read and filter requests from bots.
Type cookie
Duration 1 minute
__utmc Used to store the time of the visit.
Type cookie
Duration 30 minutes
FPID Used to store a value that is used to set the client ID in the request to Google's servers.
Type cookie
Duration 2 years
FPLC Used to register a unique ID that is used to generate statistical data on how the visitor uses the website.
Type cookie
Duration 20 hours
History
Decision Date
Not set yet
History
Decision Date
Not set yet