Updated:
1/6/2020
Introduction
Thousands of businesses have entrusted ScheduleAnywhere with their
scheduling data and employee information, and we make it a priority
to take our users' security and privacy concerns seriously. We
strive to ensure that your data is kept securely, and that we
collect only as much personal data as is required to provide our
services to users in an efficient and effective manner. This
statement is aimed at being transparent about our security
infrastructure, practices and providers, to help reassure you that
your data is appropriately protected.
Application and User
Security
SSL
Encryption: Users enter employee information and assign
schedule information over a secured, encrypted TLS connection.
Transport Layer Security (TLS) protects communications by using
both server authentication and data encryption. This ensures that
user data in transit is safe, secure and available only to intended
recipients.
User Authentication: User data on our database is logically segregated by account. User accounts have unique usernames and passwords that must be entered each time a user logs on. ScheduleAnywhere issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
User Passwords: User application passwords must be at least 8 characters in length, but there are no complexity requirements. Passwords are not required to be changed once established and there is no two-factor authentication. As of December 19, 2019, all new user application passwords or password changes must contain a lowercase letter, uppercase letter, number and special character.
Data Encryption: Data is encrypted at rest on all ScheduleAnywhere servers.
Data Portability: ScheduleAnywhere enables you to export your data from our system in a variety of formats so that you use it with other applications. We also offer an API-enabled environment for customers desiring automated integration or custom exports.
Penetration and Vulnerability: We routinely perform penetration and vulnerability tests to guard against exploits.
Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.
HIPAA: Since ScheduleAnywhere does not contain any protected health information or come into contact with any protected health information, it does not need to be HIPAA compliant. ScheduleAnywhere is a staff scheduling tool that contains employee information and work schedule information only. HIPAA excludes from protected health information employee records that a covered entity maintains in its capacity as an employer. Therefore, ScheduleAnywhere does not need to confirm to HIPAA regulations.
Backup Frequency
ScheduleAnywhere backups occur every 15 minutes and full backups
are stored in multiple Amazon Web Services (AWS) data centers
throughout the country. All backups are transmitted securely and
encrypted.
Access to Data
Within our company, only a limited number of authorized
ScheduleAnywhere Development Team personnel, from authorized IP
addresses, have access to ScheduleAnywhere servers and the
ScheduleAnywhere database. When needed, Support technicians can
access your account through the ScheduleAnywhere front-end UI
only.
Third-party Hosting Services
ScheduleAnywhere is hosted by Amazon Web Services (AWS) in one of
their highly secure U.S. data centers. AWS is responsible for
maintaining physical security, staff vetting, etc. AWS staff will
not access ScheduleAnywhere data without permission. Here is a link
to their security information.
Your Responsibilities
Keeping your data secure also depends on you ensuring that you
maintain the security of your account by using sufficiently
complicated passwords and storing them safely. You should also
ensure that you have sufficient security on your own systems.
Security Questionnaires/Forms
Due to the number of customers that use our service, specific
security questionnaires or custom security forms can only be
addressed for customers licensing a certain number of user accounts
(employees) within a ScheduleAnywhere account. If your company has
a large number of employees, please call 325-223-9500.
Additional Security Requirements
If your company requires additional security features, such as
intrusion detection systems (IDS) or intrusion prevention systems
(IPS), we recommend hosting ScheduleAnywhere. For more information
on self-hosting and pricing, please call 325-223-9500.