Security & Incident Response

Security measures

TimeGraphics implements the following technical and organizational measures to protect your data:

• Encryption in transit: All connections to time.graphics use TLS 1.2 or higher (enforced via Cloudflare)
• Encryption at rest: Database storage uses encrypted volumes
• Access controls: Database access is restricted to authorized personnel only. Support staff cannot directly access user data or identifiers
• Infrastructure security: Application is served behind Cloudflare WAF and DDoS protection. Server access is limited to SSH key authentication
• Password security: User passwords are stored using bcrypt hashing; we never store plaintext passwords
• Regular updates: Server software and dependencies are maintained and updated regularly
• Backups: Regular automated database backups with encrypted storage

Incident response

In the event of a security incident involving unauthorized access to, disclosure of, or loss of personal data:

• Detection and assessment: We investigate and assess the scope and impact of the incident promptly upon discovery
• Containment: We take immediate steps to contain the incident and prevent further unauthorized access
• Notification — Schools: For School Accounts, we notify the School's designated administrative contact within 72 hours of confirming the incident. The notification includes:
  • Nature and description of the incident
  • Categories and approximate number of records affected
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident
  • Contact information for follow-up questions
• Notification — GDPR: For EU users, we notify the relevant supervisory authority within 72 hours as required by GDPR Article 33, and affected individuals without undue delay where required by Article 34
• Notification — General: For all other users, we comply with applicable state and federal breach notification laws
• Remediation: We document root cause analysis and implement measures to prevent recurrence

Data retention & deletion

• Active account data is retained as long as the account is active
• Upon account deletion by the user, personal data and user-created content are removed from our production database within 30 days
• Backup copies are purged within 90 days of primary deletion
• Anonymized, aggregated analytics data (not linked to individual users) may be retained indefinitely for service improvement

• Student data is retained only for as long as the School Account is active and the data serves the educational purpose
• Schools may request deletion of all student data at any time by contacting schools@time.graphics
• Upon termination of a School Account or DPA:
  • The School may request a data export (JSON format) before deletion
  • Student data is deleted from production systems within 30 calendar days
  • Backup copies are purged within 90 calendar days
  • TimeGraphics provides written confirmation of deletion upon request
• Individual student data can also be deleted upon request from the School at any time during the active period

• Schools may inspect and review student data at any time
• Schools may request correction or amendment of student data
• Requests are fulfilled within 10 business days

Reporting a security concern

If you discover a security vulnerability or suspect unauthorized access to data, please contact us immediately:

• Email: security@time.graphics
• For School Accounts: schools@time.graphics

We take all reports seriously and will respond within 1 business day.

Related pages