Snap Schedule 365 Cloud Security FAQs
We know data security is very important to your business and protecting your data is our top priority. Security is built into Snap Schedule 365 from the ground up with technological safeguards, such as encrypted communications and encrypted data at rest, to enhance the security of our customers’ data. Snap Schedule 365 runs on the Microsoft Azure cloud computing platform which meets a broad set of international and industry-specific compliance standards, such as ISO 27001, FedRAMP, SSAE 16 SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS.
The FAQs below provide answers to questions that we anticipate a security conscious user like you would want to know.
General
Snap Schedule 365 is built on the Microsoft Azure cloud computing platform, renowned for its reliability, scalability, and accessibility. We store each customer’s data in a Microsoft Azure SQL database located within an expanding network of Microsoft-managed data centers. Azure SQL Database enhances our service with built-in fault tolerance, data encryption, automated backups, Point-In-Time Restore, Geo-Restore, and Active Geo-Replication to ensure high availability and continuity of business operations.
For US-based customers, Azure SQL databases are maintained in Microsoft-managed data centers in the United States. International customers have the option to request deployment of their databases to Azure data centers in the UK, Australia, or Canada. The persistence of the data—or its “service life”—remains constant unless a change is requested by the customer.
Backups of databases are always located in the same jurisdiction as the data that is used in day-to-day operations, but for security reasons, the two are physically separated.
Microsoft Azure cloud computing services are delivered through a network of global datacenters, each designed to run 24 x 7, and each employing numerous measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters are managed, monitored, and administered by Microsoft, and geographically dispersed.
Microsoft datacenters received SSAE16/ISAE 3402 Attestation and are ISO 27001 Certified. Microsoft datacenters are located in non-descript buildings that are physically constructed, managed, and monitored 24-hours a day to protect data and services from unauthorized access as well as environmental threats. Datacenters are surrounded by a fence with access restricted through badge-controlled gates.
Microsoft has a comprehensive approach to protecting cloud infrastructure that includes hardware, software, networks, and administrative and operations staff, in addition to the physical datacenters.
Microsoft Azure meets a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SSAE 16 SOC 1 and SOC 2, as well as country-specific standards like Australia IRAP, UK G-Cloud, and Singapore MTCS. Rigorous third-party audits, such as by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate. For more details, see the compliance information on the Microsoft Trust Center.
Snap Schedule 365 is an employee scheduling solution that does not store or process protected health information (PHI) or any other health information. As such, the platform itself is not subject to HIPAA compliance because it does not handle health data that would fall under HIPAA regulations. However, we still prioritize the security and privacy of all user data, implementing robust security measures to protect all information processed by Snap Schedule 365.
Network security
Yes, we use Microsoft Azure SQL Database Threat Detection system to monitor, detect and respond to potential threats as they occur by providing security alerts on anomalous activities. For more information, visit https://azure.microsoft.com/en-us/documentation/articles/sql-database-threat-detection-get-started/
Yes, the Snap Schedule 365 is protected by firewalls. Firewalls are deployed between each network segment to isolate and control access among the systems in each tier to prevent potential intruders from directly accessing backend databases.
No, Snap Schedule 365 is a Web-based application and HTTPS is the only supported protocol. Traffic is encrypted between the user’s web browser (or iOS/Android apps) and Snap Schedule 365 using AES 256-bit SSL encryption.
No, all connections are initiated by the client (i.e. you).
No, all data transfers are done through the HTTPS protocol (443/TCP).
Data storage and retention security
Yes. Your Snap Schedule 365 data is completely contained in a single Azure SQL database and totally isolated from other users and their data. Database access is restricted to the data owner and no other customers on Snap Schedule 365 can see your data. A contained database is a database that is isolated from other databases on the same server and from the instance of SQL Server/SQL Database (and the master database) that hosts the database.
Yes. Snap Schedule 365 uses Azure Transparent Data Encryption (TDE) to help protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and data “at rest”, meaning the data and log files. TDE performs real-time I/O encryption and decryption of the data and log files and protects the keys that are used to encrypt the data with a certificate. This encryption method prevents anyone without the keys from accessing and using the data.
Data transmission between a user’s computer/device to Snap Schedule 365 is always encrypted using HTTPS/SSL with a 2048-bit SSL certificate. This security measure at the transit layer is very much the same as that used by online banking institutions; it protects data transmissions from being hijacked or sniffed over the wire during transfer.
No, the system does not support configuring custom encryption keys per customer.
You can delete the contents of your database using the Schedule Setup command under the Snap Schedule 365 Admin menu.
Your data is retained indefinitely as long as your subscription account is active and in effect. Accounts will be “deactivated” upon a user’s request to discontinue the service or if the account is delinquent according to our “Terms of Use.” Databases belonging to deactivated subscription accounts will be permanently deleted.
Microsoft Azure SQL Database service protects all databases with an automated backup that is retained for a maximum of 35 days. Backup files are always encrypted and stored in geo-redundant storage containers to ensure availability for disaster recovery purposes. Full backups are taken every week, differential backups every day, and log backups every 5 minutes. The first full backup is scheduled immediately after a database is created. Normally this completes within 30 minutes but it can take longer. If a database is already big, then the first full backup may take longer to complete. After the first full backup, all further backups are scheduled automatically and managed silently in the background. The exact timing of full and differential backups is determined by the system to balance the overall load.
Snap Schedule 365 keeps data related to an employee such as contact information, time and attendance records, work schedules, etc. in its database for as long as your subscription is active. When the employee deletion feature is enabled for your company, you can remove an employee and all data records and transactions related to the employee will be permanently erased from the database. The deletion is not reversible. Automated backup copies of the Snap Schedule 365 database that may contain the deleted employee’s information will be permanently deleted after the 35-day retention period.
User authorization and authentication security
The system uses an internal user authentication system to authenticate and authorize logins. The user must provide a valid company code, user name, and password to be authenticated. Data transmission between a user’s computer/device to Snap Schedule 365 is always encrypted using HTTPS/SSL with a 2048-bit SSL certificate.
Snap Schedule 365 supports Microsoft Active Directory or any authentication system that supports the SAML 2.0 protocol, to give an organization’s users single sign-on to Snap Schedule 365.
Yes, passwords are stored and encrypted on our secure system.
Yes, Snap Schedule 365 requires and enforces complex passwords. The scheduler’s password must have a minimum of 8 characters and contain at least one uppercase letter (A-Z), one lowercase letter (a-z), one number (0-9), and one special character (non-word characters like !%#$).
Since our subscribers control their users and their data, it is important for the users to practice sound security practices by using strong account passwords and restricting access to their accounts to authorized persons.
No, only username/password authentication is supported at this time.
Application layer security
Snap Schedule 365 is a secured, high-performing, multi-tenancy employee scheduling solution built on the Microsoft Azure cloud computing infrastructure. Snap Schedule 365 Web-facing application is deployed as an Azure App Service that can be easily scaled up or down on demand with high availability within and across different geographical regions. When you log in to use Snap Schedule 365, this Azure App Service connects to your Azure SQL Database running in multi-tenant mode on the same Microsoft Azure cloud platform. The Azure SQL Databases used to support the Snap Schedule 365 application are segregated from the web/application tiers.
Multi-tenancy software is designed to allow multiple customers (users) to access and use the same software simultaneously, in a controlled and segregated manner, such that individual users can access only their own data. User access is controlled through an authentication system.
Yes. We follow industry-standard secure coding best practices throughout the development lifecycle and use the Microsoft Visual Studio toolset for software development. We are a Microsoft certified Silver Application Development Partner.
In addition to Microsoft Azure security scanning, we routinely scan the Snap Schedule 365 Web-facing application for vulnerabilities against the OWASP Top 10 Security Threats and other known security holes.
No. Snap Schedule 365 uses the standard HTTPS protocol and users simply need a web browser and internet connectivity to access and use it. Antivirus software (e.g., McAfee® software) that is installed on the end user’s computer should not have any compatibility issues with our platform as long as one of our supported web browser versions is used to access the system.
Access controls
Access to client’s data by our personnel is strictly limited to legitimate business need, including activities required to support our clients’ use of Snap Schedule 365. Our support team maintains access to the Snap Schedule 365 applications and its data for maintenance and support. This support team accesses hosted applications and data only for purposes of application health monitoring and performing system or application maintenance, and upon customer request via our support system. Additionally, customers must explicitly invite one of our tech support team members and grant access to their data through Snap Schedule 365 for the team member to access customer’s data.
Accesses to resources are controlled by explicit roles in all environments. Support team members are given appropriate accounts on systems which they are authorized to access, following the “least privilege” principle.
When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if the person continues to be one of our employees. All support team members are individually and contractually required to comply with our data protection and information privacy provisions.
No. We do not sell, disseminate, or trade any of your Snap Schedule data. We reserve the right to analyze and map the utilization pattern of users to improve the product, increase availability and service security.