Security

Shiftee maintains the highest level of security and we are consistently committed to providing enhanced security to ensure your security and privacy at all times.

Compliance and Certifications

Shiftee complies to and is certified with various security certificates as we follow strict risk management policies with handling our users' personal data.

ISO 27001:2013 Certification acquired

ISO 27001:2013 is an international standard for information security management and supports organizations' data asset management and protection.

Information Security Tests

Shiftee conducts data protection vulnerability assessments through professional security consultants and consistently maintains the highest level of security.

More than 300,000 businesses worldwide use Shiftee to make better workplaces.

Method of Data Protection

Shiftee does not collect private information that is not for the purpose of time and attendance management. All collected data are encrypted in secure database at rest.

Collection of Limited Information

Shiftee is a time and attendance software and does not collect private sensitive information.

Collected data

name
email address
employee number (optional)
phone number (optional)

Encryption Algorithm

We protect our data from external access by encrypting all data to be incomprehensible.

AES-256 Algorithm

Shiftee database encryption algorithm

Strong Password Algorithm

We use incomprehensible algorithm used in operating systems such as OpenBSD and Linux Distribution.

Location Based Service (LBS) Certified

We are registered and certified as a Location Based Service (LBS) by the Korea Communications Commission.

Collection and Disposal of Location Information

Shiftee collects location infomation for a limited time (only during clock-in and clock-out), and all location data are deleted immediately after clock in/out validation.

Cloud Service with Guaranteed Safety

AWS Cloud Security

We save our data in Amazon Web Services (AWS) which is used by countless companies worldwide. Our server is located in the AWS Seoul region.

AWS Service Ready

By passing and meeting the requirements of the AWS Service Ready Program, Shiftee has proven to be of the highest level of expertise and security.

DDoS Attack Protection

As the largest cloud infrastructure, AWS maintains the highest level of security and defends against DDoS attacks.

Powerful and Versatile Security Features

SSO

Shiftee provides SAML Single Sign-on (SSO) feature to authenticate users in your own systems without requiring them to enter additional login credentials.
- Okta, MS Azure, Onelogin

Shiftee provides an IP Whitelisting feature that allows you to control IP addresses that can access Shiftee. You can prevent unauthorized access getting to Shiftee by specifying a range of trusted host(public) IP addresses.

Separation of Permissions

Shiftee provides different levels of administrator permissions. You can assign permissions to the authorized users to have access to app settings and the ability to view or edit data.

Audit Logs Feature

Shiftee provides an audit log feature that allows you to monitor administrators’ actions on creating/editing/deleting data. You can use this feature to check the history of actions carried out by administrators.

Cloud and Application Security

Cloud Data Center Security

Shiftee hosts service data in Amazon Web Services(AWS) data center, which complies with trusted security regulations and obtains the following security certifications (ISO, CSA, SOC, K-ISMS and so on)
AWS data centers are safely secured with physical measures such as CCTV, security guards, intrusion detection technology, and have various facilities and technologies to keep availability in the event of disasters.

Data Hosting Location

Shiftee data is served and stored in AWS Seoul region.

Disaster Response and Recovery Ability

Shiftee has a Disaster Recovery Plan(DRP) to respond quickly to data failure and emergency situations. All of our infrastructure and data are spread across 3 AWS availability zones and will continue to work should any one of those data centers fail. We also do regular, distributed data backup to minimize data loss in circumstances such as data failure and disasters.

DDoS Attack and Network Protection

Shiftee runs a system to mitigate DDoS attacks and monitor and block malicious traffic and network attacks.

Encryption

Shiftee data is encrypted at rest using AES-256 key encryption and we use a strong one-way hash function to encrypt the user password. During transit, all data and traffic in Shiftee are safely secured through encrypted transfer via industry standard HTTPS/TLS (TLS 1.2 or higher).

Audit Log and Monitoring

On an application level, we produce audit logs for all actions taken on the access and related data is stored in restricted access cloud storage.

Permissions and Authentication

Access and permission to system and customer data is limited to authorized employees who require it for their job. For those limited access accounts, we have IP based access restriction, 2-factor authentication(2FA) using OTP and strong password policies to ensure access to data is protected.

Application Security

From the design stage, Shiftee defines and reflects security requirements. We use a secure framework and coding method, and all the developed code is reviewed, tested and validated once again through our internal code review process. The reviewed code is tested several times in a separate environment separate from the production environment and then finally reflected in the production environment after security reviews. No service data is used in our test environments.

Vulnerability Management

Shiftee scans our system and application to identify vulnerabilities and ensure the vulnerabilities are managed on a regular basis. We maintain a dedicated in-house expert team to scan vulnerabilities and work with the engineering team to remediate any discovered issues.

Any further questions regarding data protection and security?

Your Shiftee support team is here to assist you.