Thousands of businesses have entrusted ScheduleAnywhere with their scheduling data and employee information, and we make it a priority to take our users' security and privacy concerns seriously. We strive to ensure that your data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. This statement is aimed at being transparent about our security infrastructure, practices and providers, to help reassure you that your data is appropriately protected.
Application and User
SSL Encryption: Users enter employee information and assign schedule information over a secured, encrypted SSL connection. Secure Sockets Layer (SSL) protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure and available only to intended recipients.
User Authentication: User data on our database is logically segregated by account. User accounts have unique usernames and passwords that must be entered each time a user logs on. ScheduleAnywhere issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.
User Passwords: User application passwords have minimum complexity requirements. Passwords are not required to be changed once established and there is no two-factor authentication.
Data Encryption: Data on ScheduleAnywhere server(s) is not encrypted at rest. If you require encryption at rest or other security measures, see Additional Security Requirements below.
Data Portability: ScheduleAnywhere enables you to export your data from our system in a variety of formats so that you use it with other applications. We also offer an API-enabled environment for customers desiring automated integration or custom exports.
Penetration and Vulnerability: We routinely perform penetration and vulnerability tests to guard against exploits.
HIPAA: Since ScheduleAnywhere does not contain any protected health information or come into contact with any protected health information, it does not need to be HIPAA compliant. ScheduleAnywhere is a staff scheduling tool that contains employee information and work schedule information only. HIPAA excludes from protected health information employee records that a covered entity maintains in its capacity as an employer. Therefore, ScheduleAnywhere does not need to confirm to HIPAA regulations.
ScheduleAnywhere backups occur every 15 minutes and full backups are stored in multiple data centers throughout the country.
Access to Data
Within our company, only authorized ScheduleAnywhere Development Team personnel, at authorized IP addresses, have access to ScheduleAnywhere servers and data.
Third-party Hosting Services
We use two different third-party hosting companies for ScheduleAnywhere. Below are our two hosting providers with links to their security information.
ScheduleAnywhere (Non-API) - Cogeco Peer1 - Miami Data Center
ScheduleAnywhere (API) - Amazon Web Services (AWS)
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.
Due to the number of customers that use our service, specific security questions or custom security forms can only be addressed for customers licensing a certain number of user accounts within a ScheduleAnywhere Enterprise subscription. If your company has a large number of potential or existing users and is interested in exploring such arrangements, please call 1-800-874-8801 (701-235-5226).
Additional Security Requirements
If your company requires security features such as data encryption at rest, intrusion detention systems (IDS), intrusion prevention systems (IPS) or sophisticated password management, we recommend hosting ScheduleAnywhere. For more information on self-hosting and pricing, please call 1-800-874-8801 (701-235-5226).