Security, Availability, Redundancy, and Certifications

Comprehensive security for the most demanding businesses

TimeTonic is a core IT platform available in SaaS (Software as a Service) mode, hosted in France in a sovereign environment that meets the highest corporate requirements in terms of security, resilience, and compliance.

From physical protection of infrastructure with biometric control to detailed management of user access rights, based on the principle of "privacy & security by design," including encryption of communications, password hashing and salting, daily backups on remote servers, data security, software quality control, and a highly secure architecture. security by design," to communication encryption, password hashing and salting, daily backups on remote servers, data security, software quality control, and a highly resilient and scalable architecture with WAF, load balancing, and automatic failover, every aspect of our platform and environment is designed to protect your information, ensure high availability, and guarantee a smooth and efficient experience.

Certification and secure, resilient infrastructure

Our infrastructures are hosted in certified sovereign data centers (ISO 27001, HDS, HIPAA, SOC 1, 2, and 3, GDPR, etc.), in a hybrid cloud infrastructure combining public and private environments.

This hybrid model allows us to leverage the scalability of the public cloud for services with high load variability, while benefiting from the isolation and enhanced control of the private cloud for critical or sensitive components of the platform.

The infrastructure used is based on a redundant architecture, ensuring high availability and service continuity. The hybrid cloud optimizes resilience by intelligently distributing loads and enabling rapid failover between environments in the event of an incident or overload.

The servers are deployed in data centers located exclusively in France, hosted by French operators, ensuring full compliance with European regulations on personal data protection (GDPR) and digital sovereignty not subject to the US Cloud Act.

With secondary sites for redundancy and backups also located in France but several hundred kilometers away from the primary sites, TimeTonic ensures optimal resilience and service availability.

The deployment architecture is designed to be modular, scalable, and easily interconnectable with third-party systems.

Our choice of suppliers and our architecture allow us to offer fully dedicated environments as an option, with HDS (Health Data Hosting) and Secnumcloud certification (the highest level of security and sovereignty required by the French government for cloud service hosting).

TimeTonic is hosted by OVHcloud, a major European hosting provider.

Our hosting provider's numerous certifications can be viewed here:

Availability, redundancy, and disaster recovery plan

The hosting guarantees 99.999% availability and the platform offers an overall availability rate of over 99.95%.

  • This level of availability is supported by 24/7 monitoring, real-time alert systems, and rigorously tested disaster recovery (DRP/BCP) mechanisms.
  • Maintenance operations are planned to avoid any service interruption, with hot deployment mechanisms and pre-production environments allowing for upstream validation.
  • The architecture benefits from redundancy mechanisms, with automatic daily backups, file replication across multiple storage areas, and regular restoration tests. In the event of an incident, a disaster recovery plan (DRP) is activated: data is replicated in real time in a separate region, with a recovery objective (RTO/RPO) of less than 12 hours.


Access control and user security

Access to TimeTonic is based on strong authentication, with SSO (SAML v2) support for seamless integration with corporate directories, and a two-factor authentication (2FA) option for enhanced security.

Each user has rights calibrated according to their role (administrator, contributor, read-only, API), allowing for strict compartmentalization of information.

All sensitive connections and actions are tracked in audit logs, ensuring complete traceability of usage. In the event of a fraudulent login attempt, automatic locking and IP address restriction mechanisms are activated.

Access is strictly controlled using application firewalls (WAF), intrusion detection systems (IDS/IPS), and multi-factor authentication for all administrative access.

Password and automatic logout policies can be configured on demand, with passwords required to contain at least 8 characters, including an uppercase letter, a lowercase letter, a number, and a special character, and automatic logout after 4 hours of inactivity.

In addition, TimeTonic offers fine-grained user rights management, allowing, for example, the isolation of end-user data by creating isolated "mirror views" in separate workspaces. This ensures greater security by avoiding overloading end users with unauthorized or unnecessary data for their daily management, thus simplifying the user interface and increasing security, the quality and ergonomics of the applications created.

TimeTonic's dynamic filter options allow visibility or modification rights to be granted per user or per user group, including conditionally: for example, the same view can be filtered to display only specific information accessible according to the TimeTonic ID of the person logged in or according to a particular status or field with a particular value.

In addition, in the business plan, administrators have advanced options to manage user rights, define the applications to which they have access, and what type of rights they have.

Environmental and physical protection of data centers

Our infrastructure is hosted in certified data centers (ISO 27001, HDS, etc.), located exclusively in France. These centers are subject to strict physical controls: access via personalized badges, video surveillance, alarms, and security personnel.

Power is supplied by redundant systems (UPS) to ensure maximum availability, and energy efficiency is optimized (PUE < 1.3), in line with our environmental commitment.

Data security, backup, ownership, and compartmentalized environment

Data security is at the heart of our architecture. All communications between users and servers are encrypted via TLS 1.3, with HSTS enabled to prevent man-in-the-middle attacks.

Files are encrypted on the fly before being stored, and sensitive data in databases can also be encrypted using a secure encrypted field that can be configured directly by your own application developers.

Your data is stored in France in our sovereign infrastructure, and no data is stored or transmitted outside the European Union, unless you yourself choose to use services external to TimeTonic via our Application Programming Interfaces (APIs) or our automations with Webhook calls.

We develop and host our own database, rapid search, and automation engines to ensure that no data is transferred outside our infrastructure.

We even offer the option of hosting LLMs (e.g., Mistral) in our own infrastructure to ensure that no data, queries, or responses are transmitted outside during AI automation.

We also offer this option for Serenytics (dashboards) and n8n (automation platform) servers.

A complete copy of the data, files, and all application settings is backed up daily and stored for 30 days in our infrastructure at remote sites located several hundred kilometers from the production sites.

TimeTonic transfers modified data to a backup workspace in CSV-compatible XML format every day. We also offer the option, on request, to transfer all data and files to your own backup servers at regular intervals via SFTP, and you can retrieve all your information at any time via CSV export, including a zip file containing all your files.

For added security and ease of management, deleted records are kept in your data table's recycle bin. You can restore these records or delete them permanently if you are an administrator.

TimeTonic automatically saves the date and time of the last modification, as well as the complete history of all data modifications, in a dedicated field containing the date and time of the modification, the ID of the person who made the modification, and the previous and new values, for complete traceability. This is ideal for teamwork or for understanding why a particular change was made.

For Business plan users, data can be stored in dedicated isolated databases, ensuring total compartmentalization, optimal performance uncontaminated by other users, and rapid restoration in the event of unwanted deletion.

A complete SecNumCloud environment can also be set up, with a dedicated architecture and its own servers.

User access logs are accessible with the Business plan.

Your data and files are your sole property, and under no circumstances does TimeTonic access them (except at your express request when you temporarily invite the support team to access your workspaces, for example) or give third parties access to your data.

You can also delete your account and workspaces at any time. Your data will then be completely deleted from our servers after 30 days of daily backup retention.

Software quality and application protection

At TimeTonic, software quality is not just a goal: it is a cornerstone of our development process. We have implemented a continuous validation approach (Continuous Integration/Continuous Deployment) combining methodological rigor and cutting-edge tools to ensure the stability, performance, and security of our SaaS platform.

Automated testing at every stage

Each feature developed undergoes several levels of testing:

  • Unit tests: each component is tested in isolation to ensure that it behaves as expected.
  • Integration testing: interactions between modules are verified, particularly when using APIs or automated workflows.
  • End-to-end (E2E) testing: we simulate complete user scenarios to ensure the overall functioning of the interface and business logic.
  • Non-regression testing: with each update, we validate that existing features remain fully operational

Tests are triggered automatically with each commit in our CI/CD pipeline. No code goes into production without passing these steps.

Application security integrated into the development cycle

Our testing tools also include security checks:

  • Static code analysis (SAST): each update is scanned to detect potential vulnerabilities such as injections, data leaks, or vulnerable dependencies.
  • Detection of XSS vulnerabilities and SQL injections: our test scripts include simulated attacks to verify that user inputs are properly sanitized.
  • Code coverage verification: each merge request must improve or maintain automated test coverage in order to be validated.

Controlled deployment process

Before each release:

  • A deployment script is prepared, validated in a test environment, and then approved via a merge request.
  • Deployment is carried out with a built-in rollback mechanism, allowing for immediate reversal in the event of a detected problem.
  • An audit trail is generated at each stage to ensure complete traceability.

Post-production monitoring

Once online, the platform is actively monitored (via Signoz, Graylog, Grafana, etc.) to detect anomalies, monitor performance, and automatically alert our team in the event of an incident.

In summary

TimeTonic offers you a flexible, powerful, sovereign, secure platform, hosted in France, designed for the most demanding organizations, and built on a solid foundation of security, reliability, and compliance. Whether you are a public company, a local authority, or a large private company, your applications and data are in good hands.

FAQ

  • OAUTH2 authentication for API access
  • 2FA
  • SSO via SAML2, all other standards will be studied upon request
  • Login / Password
  • We are compatible with all SAML2.0 compatible SSO services, any other standard will be studied upon request
  • Passwords must have no spaces, at least 8 characters, one number, one uppercase and one lowercase letter
  • Passwords are hashed and salted and are therefore encrypted and cannot be recovered but only replaced
  • Passwords must be renewed every year
  • Accounts are nominative
  • TOTP 2FA is available for any account, actionable from the user’s profile
  • TimeTonic is a public SaaS platform, available through internet access.
  • All data transfers are secured with TLS1.2 grade ssl (HTTPS enforced)
  • Data and software are hosted on our own servers and are not shared with any other company
  • A very fine and very strict management of access rights prohibits access to workspaces, columns, data lines on both the client and server sides
  • Dedicated databases can be created on request to further isolate data in terms of access and performance
  • Dedicated servers can be created on request to increase performance
  • On-premise hosting is also available on request
  • Client files (pdf, word, emails, etc) are encrypted and stored on disk on spaces not accessible in http, only a link is generated, kept and used as a database
  • The data is managed per work area called "workspace". Each workspace has its own databases and access to the workspace is managed by specific rights management
  • Access by user or user group is possible, including by view, by row, by column - e.g. some people can see all the data but not the modification history, or others can have read-only access to one part of the data, write access to another part, and no access at all to another part
  • Access to files is via anonymous long URLs generated and managed in a database and therefore totally unreferenced and unsearchable by search engines - no file is therefore directly accessible
  • There are two types of URLs:
  1. One allowing free access to the owner of the URL
  2. The other always requiring a valid access right via TimeTonic login / password
  • The hardware and operational maintenance of TimeTonic servers is managed by Alwaysdata and the servers are physically hosted in Equinix datacenters in France
  • SOC 2, PCI DSS, SOC 1 Type 2 (SSAE 18 replaces SSAE 16) certifications are therefore present
  • Physical accesses in the datacenter are controlled by a security station, then by individual magnetic card and biometric readers.See the video
  • We use internally an audit tool (OpenVAS) to scan our servers for vulnerabilities and tools (e.g. rkhunter) to check the integrity of critical files on a daily basis
  • The hardware and operational maintenance of TimeTonic servers is managed by Alwaysdata and the servers are physically hosted in Equinix datacenters in France.SOC 2, PCI DSS, SOC 1 Type 2 (SSAE 18 replaces SSAE 16) certifications are therefore present.Physical accesses in the datacenter are controlled by a security station, then by individual magnetic card and biometric readers Watch video
  • It is not possible to choose your datacenter
  • Backups are stored on different servers in France, at least several kilometers away from the main site, and hosted by a different host (Scaleway).
  • The files are encrypted
  • Access to user databases by other users is impossible (except for data shared by the users themselves who have temporarily invited TimeTonic support members - themselves under strict NDAs - ) and only the CEO and CTO of TimeTonic have the administrator credentials of the servers which are modified at least twice a year. Even for the CEO and CTO we follow a strict policy of never accessing data without prior authorization from the customers
  • A 30-day rolling backup of all databases and files is made daily, and a monthly backup is made and kept for 12 months
  • The data belonging to the users are kept as long as the licenses are active and then archived for 1 year unless a request is made to delete an account
  • The user identification data (name, login) is kept for the duration of the licence / collection period and is deleted when an account is deleted with final payment
  • The backups are total and made daily at 4am with copies of the backups on separate servers
  • Restoration can be total or partial and is done on request
  • TimeTonic also allows to keep the history of all the modifications made by the users (who modified what, when, and what was the previous value) which, in addition to a very useful traceability to understand the changes made, allows, on demand, to go back in a very fine way without losing the changes made during the day since the last daily backup
  • A ctrl-z (undo) is also available directly by users in spreadsheet view for changes made at the moment
  • TimeTonic also generates a complete daily backup file for all workspace data tables, in Excel-compatible XML format, which you can access and keep by default for one year
  • Backup is done on demand and takes between 2h and 8h depending on the type of catering requested (except ctrl-z instantly restoring the previous data)
  • Except for the ctrl-z that can be done by the users themselves, the restoration requires the intervention of TimeTonic
  • The intervention is invoiced according to the time spent (in proportion to the daily cost in force, currently 950€ / day)
  • TimeTonic also generates a complete daily backup file for all workspace data tables, in Excel-compatible XML format, which you can access and keep by default for one year
  • A complete data recovery is tested every week
  • Complete software installation procedures are tested approximately 4 times a year and complete data restores are tested weekly
  • We use pingdom to test access to the service every minute with sms and email transmission to 3 people in case of unavailability
  • We use newrelic to measure response times and the number of application and database queries
  • We also use our own tools that send us an SMS in case of access error, repeated unauthorized access or request for a forgotten password
  • Alwaysdata manages servers across multiple Equinix data centers and can restore service to other servers. We also have our pre-production servers that can be converted to production servers in 8 hours
  • Procedures are not communicated
  • The source codes of the applications are not currently deposited but this can be put in place for contracts justifying such a request
  • Maximum observed service outage of 11 minutes in the last year
  • Observed availability rate above 99.95%
  • Yes, each customer can create an unlimited number of workspaces, including pre-production
  • We also have our own pre-production server
  • SLA:
  1. Pro licenses include the following service availability (online access)
  1. Guaranteed Response Time (GRT): 60mn (during support hours)
  2. GST (Guaranteed Service Repair Time): 2h (during support hours)
  3. Monthly guaranteed service availability: 99.5% (during support hours)
  4. Bug fix repair time is not guaranteed, but we will of course make all reasonable commercial efforts to fix the bugs
  • Support
  1. Email and phone support is provided Monday through Friday during business hours (9:30 am to 6:30 pm CET). Support calls that take more than 15 minutes to process are charged on an hourly basis
  2. If more than 8 hours of paid support are reached in a given month, a notification is sent to the customer asking if support should continue or not
  3. Professional user licenses can also request on-site support currently in the Paris area. On-site support outside the Paris area will incur additional business, travel and processing costs

  • Specifications, tests on developers' workstations, unit tests, functional tests, merge with master, tests on pre-prod server, release on production server and complete tests after 6pm, one click backwards if necessary
  • Contact Alwaysdata in case of general access problems. Alwaysdata has an excellent service available also in case of emergency
  • Direct access by CEO/CTO for log analysis / re-installation of previous versions/database
  • Yes, see above
  • Admin training to be able to create or manage your own applications / business processes in total autonomy
  • Professional services to assist in the design and creation of applications / business processes
  • Training / documentation for users
  • On-site or remote support
  • Data import help
  • Export help / data restitution
  • Specific developments
  • Interfaces with your existing tools (we have already created interfaces with MS Navision, Office, Google, Dropbox, and Salesforce in particular)
  • Export csv / xml for data, ZIP for files
  • Yes, the intervention is invoiced on a time basis (in proportion to the daily cost in force, currently 950€ / day)
  • On request, we can also arrange for your data to be sent by FTP on a weekly basis
  • For Business licences, you can also create your own data exports, including files
  • It's possible
  • Yes, see above
  • Yes, in France
  • All your data belongs to you and no one else has access to it unless you expressly request it or the law requires it.
  • You can request the return of your data and the destruction of all your data at any time