Security is a top priority at Ganttic. And built into the foundation of our resource planning app is enterprise grade security. This, coupled with the latest best practices for compliance and user privacy, means that organizations can run more efficiently without sweating the small stuff.
Overview
- Hosted on AWS data centers in the EU
- Over 99.9% uptime
- Data backups 4x daily
- Protected by AWS WAF
- Strong password policy
- Annual penetration tests performed by third parties
- Strict data access policies from our side
- GDPR compliant
Hosting
Ganttic is 100% cloud-based and hosted on dedicated servers by Amazon Web Services (AWS) located in Frankfurt, Germany. They provide security measures and hold certificates such as ISO/IEC 27001:2013 and ISO 9001:2015. Read about their specific security measures.
We are protected by AWS WAF – a web application firewall which safeguards apps and APIs against common web exploits and bots, including OWASP Top 10 security risks. AWS WAF enables security rules that control bots which can affect availability, compromise security, or consume excessive resources. It also blocks from common attack patterns, such as SQL injection or cross-site scripting. Read more here.
Reliability and Backups
We know how integral resources are to projects. So to ensure our users have access to their plans, we have an over 99.9% uptime.
If data gets lost due technical error we can restore it. Ganttic’s data backup model provides near real-time database replication. A full backup is performed 4x a day and is stored on redundant and geographically dispersed servers.
Application Security
Each user in Ganttic has a unique, password-protected account with a verified email address. The password is validated against password policies and stored securely using a strong hashing algorithm.
Ganttic also supports multiple methods of federated authentication (SSOs), including Google Open ID, Microsoft Azure, OneLogin,and SAML 2.0 to conveniently and securely gain access to a Ganttic account using corporate credentials.
We have an in-house patch management policy that ensures our operating systems, software, frameworks, and libraries are up to date. Regular internal network security audits and scans provides us with an ongoing overview of systems and services. And care is taken to apply hotfixes and patches promptly when any vulnerabilities are found or reported.
We employ annual security check ups via third party pen testing.
Website data is always sent over a secure, encrypted connection using 128-bit Transport Layer Security TLS 1.2. The TLS technology used is the preferred network security method and protects your information using both server authentication and data encryption.
All credit card details are handled by our PCI-compliant partner Adyen. At no point do we receive or store any credit card details. Adyen is fully PCI DSS 3.2 compliant as a Level 1 Service Provider, which is the key security standard within the payments industry.
User and Access Security
Ganttic operates on the principle of least privilege.
We do not access customer data for any reason other than those necessary to fulfill our contractual obligations to you. Only a handful of our authorized personnel can access client databases, and only upon request for development and maintenance purposes.
Ganttic users have complete control over who has access to their data. Customer data can only be accessed by other users within your Ganttic account if the user has been granted access to these items.
We built in advanced and customizable user permissions which can be updated in the app and redefined as needed.There are 3 basic levels of account access: Owners, Admins and Users. Owners can see and access everything in the account, including Account payment info. Account Admins can control individual user rights by granting specific types of user licenses. Both can delete users and regulate planner access.
Account Owners and Admins can review user activity in their Ganttic History Log. This shows every action that takes place within their accounts.
Privacy
We know that our users’ plans run on their unique data. That’s why we take data privacy and protection extremely seriously. Please see our Privacy Policy for details on how Ganttic collects, uses, and discloses personal and other information we gather through our website and applications. Here you can find the data processing agreement. And here we have a list of our sub-processors.
The General Data Protection Regulation (GDPR) is a European regulation that took effect on May 25, 2018, and sets out standards for the protection and processing of personal data. As we are based in Estonia, Ganttic is fully GDPR compliant.
You have the right to your data. When removing an account, all personal data will be deleted, except data necessary to keep under the law. The backup files will be stored for 30 days. Only personal data necessary for accounting purposes will be kept for seven years.
If you need more information on our privacy practices, find a privacy issue with our product, or suspect that your account has been compromised, please contact us at support@ganttic.com