Security Statement

Updated: 1/6/2020

Introduction
Thousands of businesses have entrusted ScheduleAnywhere with their scheduling data and employee information, and we make it a priority to take our users' security and privacy concerns seriously. We strive to ensure that your data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. This statement is aimed at being transparent about our security infrastructure, practices and providers, to help reassure you that your data is appropriately protected.

Application and User Security
SSL Encryption: Users enter employee information and assign schedule information over a secured, encrypted TLS connection. Transport Layer Security (TLS) protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure and available only to intended recipients.

User Authentication: User data on our database is logically segregated by account. User accounts have unique usernames and passwords that must be entered each time a user logs on. ScheduleAnywhere issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

User Passwords: User application passwords must be at least 8 characters in length, but there are no complexity requirements. Passwords are not required to be changed once established and there is no two-factor authentication. As of December 19, 2019, all new user application passwords or password changes must contain a lowercase letter, uppercase letter, number and special character.

Data Encryption: Data is encrypted at rest on all ScheduleAnywhere servers.

Data Portability: ScheduleAnywhere enables you to export your data from our system in a variety of formats so that you use it with other applications. We also offer an API-enabled environment for customers desiring automated integration or custom exports.

Penetration and Vulnerability: We routinely perform penetration and vulnerability tests to guard against exploits.

Privacy: We have a comprehensive privacy policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

HIPAA: Since ScheduleAnywhere does not contain any protected health information or come into contact with any protected health information, it does not need to be HIPAA compliant. ScheduleAnywhere is a staff scheduling tool that contains employee information and work schedule information only. HIPAA excludes from protected health information employee records that a covered entity maintains in its capacity as an employer. Therefore, ScheduleAnywhere does not need to confirm to HIPAA regulations.

Backup Frequency
ScheduleAnywhere backups occur every 15 minutes and full backups are stored in multiple Amazon Web Services (AWS) data centers throughout the country. All backups are transmitted securely and encrypted.

Access to Data
Within our company, only a limited number of authorized ScheduleAnywhere Development Team personnel, from authorized IP addresses, have access to ScheduleAnywhere servers and the ScheduleAnywhere database. When needed, Support technicians can access your account through the ScheduleAnywhere front-end UI only.

Third-party Hosting Services
ScheduleAnywhere is hosted by Amazon Web Services (AWS) in one of their highly secure U.S. data centers. AWS is responsible for maintaining physical security, staff vetting, etc. AWS staff will not access ScheduleAnywhere data without permission. Here is a link to their security information.

Your Responsibilities
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.

Security Questionnaires/Forms
Due to the number of customers that use our service, specific security questionnaires or custom security forms can only be addressed for customers licensing a certain number of user accounts (employees) within a ScheduleAnywhere account. If your company has a large number of employees, please call 325-223-9500.

Additional Security Requirements
If your company requires additional security features, such as intrusion detection systems (IDS) or intrusion prevention systems (IPS), we recommend hosting ScheduleAnywhere. For more information on self-hosting and pricing, please call 325-223-9500.