SB Time Tracker
Sign in Start free trial
Security

Your data, isolated from every other tenant.

Tenant isolation at the database level, encryption in transit and at rest, US-hosted, daily backups, audit log on every meaningful change.

Start free trialContact us β†’
The basics

What every tenant gets.

Tenant isolation

Every document carries a TenantId. Every query is scoped to it. Even SuperAdmin tools require explicit tenant selection β€” there is no app code path that returns cross-tenant data.

Encryption

TLS 1.2+ on every connection. Data at rest is encrypted by Azure Cosmos DB using service-managed keys.

US hosting

Hosted on Azure in US regions only. No data leaves the US. No third-party processors outside the US in the request path.

Backups

Continuous backup via Cosmos DB's built-in PITR. We can restore your tenant's data to any point in the last 30 days.

Role-based access

Five roles (SuperAdmin, CompanyAdmin, Manager, Employee, Client) with policy-enforced authorization on every page and API endpoint.

Audit log

Every state-changing event is captured with actor, timestamp, entity, action. Per-tenant. Retained for the life of your tenant.

The honest version

What we have, what we don't have yet.

What we have today

  • Tenant isolation enforced at the data layer (every repository method takes a TenantId β€” there is no method that doesn't)
  • Azure Cosmos DB with TLS-only connections
  • Microsoft-managed encryption keys (encryption at rest)
  • ASP.NET Identity with PBKDF2 password hashing, lockout after 5 failed attempts
  • Email confirmation flow on registration (resendable from SuperAdmin tenant detail)
  • Audit log of every meaningful state change
  • Hosted in US Azure regions, all third-party processors (Stripe, ACS, App Insights) US-region

What's roadmap (transparent: not yet)

  • SOC 2 Type II report β€” under evaluation, likely 2027
  • Customer-managed encryption keys (BYOK) β€” Q4 2026
  • SSO via SAML / OIDC β€” when we hit our first customer that asks for it
  • HIPAA / FedRAMP β€” not on the roadmap; we're not the right fit if you need either

Reporting a vulnerability: email security@fmlytimetracking.com. We respond to legitimate security reports within one business day.

Questions about security?

If your due-diligence checklist needs more than this page, get in touch — we'll answer specifics.

Contact usStart free trial

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.