Thousands of users have entrusted ScheduleAnywhere with their scheduling data and employee information, and we make it a priority to take our users' security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner. This statement is aimed at being transparent about our security infrastructure, practices and providers, to help reassure you that your data is appropriately protected.
Note: This Security Statement covers only the ScheduleAnywhere instance located at www.scheduleanywhere.com . It does not cover the API-enabled instance of ScheduleAnywhere. Please contact your ScheduleAnywhere representative for this security statement.
Application and User Security
SSL Encryption: Users enter employee information and assign schedule information over a secured, encrypted SSL connection. Secure Sockets Layer (SSL) protects communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure and available only to intended recipients.
User data on our database is logically segregated by account. User
accounts have unique usernames and passwords that must be entered
each time a user logs on. ScheduleAnywhere issues a session cookie
only to record encrypted authentication information for the
duration of a specific session. The session cookie does not include
the password of the user.
User Passwords: User application passwords have minimum complexity requirements. Passwords are not required to be changed once established and there is no two-factor authentication.
Data Encryption: Data on ScheduleAnywhere server(s) is not encrypted at rest.
Data Portability: ScheduleAnywhere enables you to export your data from our system in a variety of formats so that you use it with other applications. We also offer an API-enabled environment for customers desiring automated integration. This security statement does not apply to our API-enabled environment.
HIPAA: Since ScheduleAnywhere does not contain any protected health information or come into contact with any protected health information, it does not need to be HIPAA compliant. ScheduleAnywhere is a staff scheduling tool that contains employee information and work schedule information only. HIPAA excludes from protected health information employee records that a covered entity maintains in its capacity as an employer. Therefore, ScheduleAnywhere does not need to confirm to HIPAA regulations.
ScheduleAnywhere is hosted by a third-party hosting company. Their Network Operations Center (NOC) is unlike any other hosting provider's, in that it is in-house and constantly monitors and controls all traffic on their network inside and outside of their datacenters. Should our hosting provider have an issue, they handle it personally, so it gets resolved quickly. Their engineers and datacenter personnel manage every aspect of the facility around the clock, as well. From security, to deploying devices, to handling the day-to day needs, they are ready to act whenever needed.
ScheduleAnywhere's hosting provider is compliant with the standards of SSAE 16, CSAE 3416, and ISAE 3402. These accreditations reflect controls which are in place over a period of time, commonly referred to within the industry as Type II. Our hosting provider has undergone independent, in-depth audits of control activities, including how they manage the hosting and network technologies and services that are provided. Our provider renews this certification annually as it ensures that the internal controls are kept to the highest standards. Our hosting prover is also a Microsoft® Gold Certified Partner, Red Hat® Advanced Hosting Partner, Safe Harbor certified and a member of the Green Grid®.
ScheduleAnywhere's hosting provider is a member of CIS (Center for Internet Security). CIS is a nonprofit organization that serves as a central resource for the development and delivery of high-quality, timely products and services to assist its partners in government, academia, the private sector, and the general public in improving their cyber security posture. CIS Security Benchmarks, a division of CIS, is a community of organizations and individuals seeking actionable security resources. As part of this community, the hosting provider has access to Consensus Security Configuration Benchmarks, Scoring Tools, Consensus Security Metric definitions, and discussion forums where we are an integral stakeholder in collaborating on security best practices.
Regulated Climate Control
ScheduleAnywhere's hosting provider has heating ventilation air conditioning (HVAC) systems with full particle filtering and humidity control. The climate within each of their datacenters is maintained according to ASHRAE Guidelines. This ensures mission-critical dedicated servers and hardware is functioning at its best.
ScheduleAnywhere's hosting provider has onsite diesel-powered generators and uninterruptible power systems (UPS) that deliver redundant power if a critical incident occurs, so that all operations are uninterrupted and servers remain online. Their infrastructure is tested frequently to make sure it performs as designed in the event of an emergency. And they back it all up with their 100% Power Service Level Agreement (SLA) and 100% Network Uptime SLA.
ScheduleAnywhere's hosting provider has datacenters that are locked and guarded, and can only be accessed by authorized personnel and Colocation customers within their colocation pods. Monitored closed circuit television systems and onsite security teams vigilantly protect their datacenters around the clock, while military-grade pass card access and biometric finger scan units provide even further security.
Backup Frequency: ScheduleAnywhere backups occur hourly internally, and daily to a centralized backup system.
Production Redundancy: Data is stored on a RAID 10 array. O/S stored on a RAID 1 array.
Organizational & Administrative Security
Service Providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
Handling of Security Breaches
Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if ScheduleAnywhere learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Notification procedures include providing email notices or posting a notice on our website if a breach occurs.
Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.
Due to the number of customers that use our service, specific security questions or custom security forms can only be addressed for customers licensing a certain number of user accounts within a ScheduleAnywhere Enterprise subscription. If your company has a large number of potential or existing users and is interested in exploring such arrangements, please call 1-800-874-8801 (701-235-5226).
Additional Security Requirements
If your company requires security features such as data encryption at rest, intrusion detention systems (IDS), intrusion prevention systems (IPS) or sophisticated password management, we recommend hosting ScheduleAnywhere. For more information on self-hosting and pricing, please call 1-800-874-8801 (701-235-5226).