ISAE 3000 & Security issues

Intempus ISAE 3000 TYPE 2 declaration

General Data Protection Regulation (GDPR), or in Danish “General Data Protection Regulation”, is the name of the EU data protection legislation. The GDPR aims to protect EU citizens from misuse of their personal data. Therefore, since 25 May 2018, all European companies must have strengthened their processes for how personal data is collected and processed securely. Intempus has the following certifications:

  • ISEA 3000 declaration
  • ISEA 3000 TYPE 2 declaration

Intempus APS opinion

Intempus ApS handles the processing of personal data in connection with the Intempus time registration platform for our customers who are data controllers under the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) and the Act on supplementary provisions to the General Data Protection Regulation (Data Protection Act). The accompanying description has been prepared for the use of controllers who have used the Intempus time registration platform and who have sufficient understanding to assess the description together with other information, including the technical and organisational security measures and other controls that the controllers themselves have implemented, when assessing compliance with the requirements of the GDPR and the Data Protection Act.

Intempus ApS uses sub-processors. The relevant control objectives and associated technical and organisational security measures and other controls of these sub-processors are not included in the accompanying description. Intempus ApS confirms that the accompanying description in section 3 provides a true and fair description of the Intempus time recording platform and the associated technical and organisational security measures and other controls as of 15 November 2021.

See ISAE 3000 TYPE 2 declaration here

Questions and answers

FAQ about data processing and data protection

How does Intempus back up customer data?

Intempus performs backup of data using two independent backup systems. Each backup system sends backups to two different storage locations for a total of four separate backup locations.

A daily full backup is created using the pg_dump tool. These backups are stored on two different servers for 12 months. Once per week we restore one of these backups to a test system to ensure we always have good backups.

Continuous backups are created using the barman tool. This ensures new data is backed up within a few minutes of being created. These backups are stored on two different servers for 2-3 weeks. Barman monitors that the required backups are present and alerts us if backups are not being performed.

How does Intempus protect user passwords?

Passwords are stored in our database using an iterated salted hash algorithm. This means that even Intempus system administrators cannot read your password from the database. The algorithm being used is known as PBKDF2-SHA256.

Intempus performs a calculation of the complexity of passwords entered by users. This is known as an entropy estimate. The calculation makes use of a third party database of passwords previously leaked from other systems. That database is named Have I Been Pwned. Intempus use the offline version of the database in order to protect against potential leaks through the HIBP API.

Each Intempus customer can choose a minimum password strength for their users. Intempus will enforce this policy when a user updates their password. The calculated entropy will not be stored by Intempus after the validation has been performed.

To protect against brute force attacks and credential stuffing Intempus will enforce a global rate limit on invalid login attempts. When the limit is exceeded the client IP address is temporarily blocked by Intempus. If necessary a range of multiple IP addresses will be blocked. The decision to block based on IP addresses was made because this is more accurate than blocking based on usernames.

Does Intempus support single-sign-on?

Intempus has support for Microsoft SSO. A customer using SSO can choose to either require their users to use SSO or to give users a choice between SSO and password logins.

How does Intempus encrypt customer data?

Communication between Intempus and users is encrypted using transport layer security (TLS). Customer data exchanged between different parts of Intempus is encrypted using either TLS or SSH.

The storage server used by our database is encrypted by the hosting provider transparent to Intempus.

What certifications does Intempus have?

We use cookies

We use cookies and similar technologies to give you a personalised shopping experience, personalised advertising and to analyse our web traffic. Click ‘Accept all and close’ if you’d like to allow all cookies. Alternatively, you can choose which types of cookies you’d like to accept or disable by clicking Customize below. In accordance with the requirements of Googles Business Data Responsibility Site, we ensure transparency and your control over your data.
Cookie and Privacy Policy

Cookie preferences

This tool assists you in selecting and disabling various tags, trackers, and analytical tools utilized on this website.

Back

Description of service

Content management system for building websites and blogs.

Processing companies

Automattic Inc, 60 29th Street #343, San Francisco, CA 94110, United States of America

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
privacy@wordpress.com

Purpose of data

This list represents the purposes of data collection and processing.
AuthenticationUser PreferencesCommenting FunctionalityLanguage Settings

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Cookies

Collected data

This list represents all (personal) data collected by or through the use of this service.
Authentication detailsUser preferencesUser comments dataLanguage settings

Legal basis

In the following, the required legal basis for processing data is stated.
Consent under GDPR

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* Session to 1 year

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

wordpress_[hash] Stores authentication details. Limited to the Administration Screen area.
Type First-party
Duration Session
wordpress_logged_in_[hash] Indicates when you're logged in, and who you are.
Type First-party
Duration Session
wp-settings-{time}-[UID] Used to customize your view of the admin interface and possibly the main site interface.
Type First-party
Duration 1 year
comment_author_{HASH} Stores commenter's name to avoid retyping it.
Type First-party
Duration 1 year
comment_author_email_{HASH} Stores commenter's email address to avoid retyping it.
Type First-party
Duration 1 year
comment_author_url_{HASH} Stores commenter's URL to avoid retyping it.
Type First-party
Duration 1 year
wordpress_test_cookie Tests if cookies can be set.
Type First-party
Duration Session
wp_long Stores the language key of the selected language.
Type First-party
Duration Session

Description of service

Cookies used for the general operation and functionality of the website.

Processing companies

Address can be found in footer

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
Conact website

Purpose of data

This list represents the purposes of data collection and processing.
Website Functionality

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Cookies

Collected data

This list represents all (personal) data collected by or through the use of this service.
User preferences and settings

Legal basis

In the following, the required legal basis for processing data is stated.
Legitimate Interest under GDPR

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* Typically up to 1 year

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

necessary Checks which cookies the user has accepted.
Type First-party
Duration Permanent
popupCookie Indicates if the user closed the cookie popup.
Type First-party
Duration Permanent
woocommerce_items_in_cart Helps WooCommerce determine when cart contents/data changes.
Type First-party
Duration Permanent
SESSION (variat) Remembers the selected product if the screen is refreshed.
Type First-party
Duration Session
necessary Checks which cookies the user has accepted.
Type First-party
Duration Permanent
popupCookie Indicates if the user closed the cookie popup.
Type First-party
Duration Permanent
woocommerce_items_in_cart Helps WooCommerce determine when cart contents/data changes.
Type First-party
Duration Permanent
SESSION (variat) Remembers the selected product if the screen is refreshed.
Type First-party
Duration Session
SESSION (pro_id) Remembers the selected product, ensuring consistency across page refreshes.
Type First-party
Duration Session
SESSION (wc_fragments_*) Maintains session information and remembers cart contents.
Type First-party
Duration Session
SESSION (wc_cart_hash_*) Tracks changes in cart contents for efficient management.
Type First-party
Duration Session
SESSION (wc_cart_created) Indicates when a new item is added to the shopping cart.
Type First-party
Duration Session
SESSION (wc_fragments) Used to ensure cart contents are remembered across sessions.
Type First-party
Duration Session
SESSION (wc_cart_hash) Assists in tracking changes to shopping cart contents.
Type First-party
Duration Session
SESSION wp_woocommerce_session_ Contains a unique code for each customer to locate cart data in the database.
Type First-party
Duration 2 days
History
Decision Date
Not set yet

Description of service

This service enables users to measure traffic and engagement across their websites and mobile apps using customised reports.

Processing companies

Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States

The processing company's data protection officer

Below you can find the e-mail address of the processing company's data protection officer.
[Your contact email]

Purpose of data

This list represents the purposes of data collection and processing.
Website AnalyticsUser TrackingData Analysis

Applied technologies

This list represents all technologies this service uses to collect data. Typical technologies are cookies and pixels placed in the browser.
Tracking codeCookies

Collected data

This list represents all (personal) data collected by or through the use of this service.
Device informationGeographic locationBrowser informationDevice operating systemScreen resolutionReferrer URLUser interaction dataDate and time of visitUser behaviourPages visitedOnline identifiersTruncated IP addressUser IDAd identifier

Legal basis

In the following, the required legal basis for processing data is stated.
Article 6(1)(a) of the General Data Protection Regulation (GDPR)

Place of treatment

This is the primary place where the collected data is processed. If the data is also processed in other countries, you will be informed separately.
* The European Union

Transfer to third countries

This service may forward the collected data to another country. Note that this service may transfer data to a country without the required data protection standards. Below you can find a list of the countries to which the data is transferred. You can get more information about security measures in the provider's privacy policy or by contacting the provider directly.
USASingaporeChileTaiwan

Retention period

The retention period is the time during which the collected data is stored for processing purposes. The data must be deleted as soon as it is no longer necessary for the stated processing purposes.
* The retention period depends on the type of data stored. Customers can choose how long Google Analytics retains data before it is automatically deleted. The maximum retention period is 14 months.

Click here to read the data processor's cookie policy

https://policies.google.com/technologies/cookies?hl=en

Overview of Information Storage Techniques

The service outlined here incorporates various methods for storing information on a user's device. The following section provides a detailed account of these techniques, emphasizing their role in enhancing user experience and adhering to established data protection protocols.

_ga Used to distinguish users.
Type cookie
Duration 2 years
_ga_ Used to persist session state.
Type cookie
Duration 2 years
History
Decision Date
Not set yet
History
Decision Date
Not set yet