Security
Calendar Permissions
- Blinktime uses Read and Edit access to create and change events in your calendar. In this way, when you edit or create an event through the Blinktime app, the event is reflected within your connected calendar. Blinktime never edits events that were not created using Blinktime.
- Blinktime uses Delete access to remove Blinktime events from your calendar. Blinktime never deletes events that were not created using Blinktime.
- The content of calendar events not created through Blinktime that are retrieved through the Gmail or Outlook APIs is never stored on Blinktime systems (a fresh API call is performed every time a client requests this data).
Data
- No databases constituting the Blinktime app are accessible from the public internet.
- Blinktime uses industry-standard encryption for all Customer Data, both in transit and at rest.
- Blinktime uses logical separation within its multi-tenant architecture to enforce data segregation between Customers.
- Upon a customer’s request, their customer data is promptly deleted. With each deletion request, the data is logically deleted in the first storage copy and then completely deleted across the other copies. This is done in order to prevent accidental deletions or possible intentional damage.
Resilience
- All endpoints are protected against Denial-of-Service attacks.
- Cloud resources are deployed across multiple availability zones, to ensure resilience of the Blinktime app.
- Logging and monitoring are implemented across the Blinktime platform, to ensure rapid event notification and traceability.
- Rolling backups of all non-temporary data are implemented, to ensure data endurance.
Infrastructure
- Blinktime is hosted on Microsoft Azure. Information on Microsoft’s physical security controls can be found here: https://learn.microsoft.com/en-gb/compliance/assurance/assurance-datacenter-physical-access-security
- Microsoft maintains industry-standard security certifications, including ISO 27001 / 27002, ISO 22301, SOC 1, SOC 2, SOC 3 and PCI DSS (4.0) Level 1.
- Access to all systems requires two-factor authentication. Requests are restricted by IP address, and access attempts are logged for auditing purposes.
- Customer authentication is performed using the Google and Microsoft identity platforms, following industry best practises with regards to the Oauth2 standard.
- The Blinktime app implements strict security headers and other measures to prevent cross-site scripting, cross-site request forgery, and clickjacking attacks.
- Customer access to the Blinktime app is protected by the most current version of Transport Layer Security (TLS).
- All computers storing local copies of the Blinktime codebase have encrypted hard drives and are protected with biometric authentication.
Internal Processes
- Blinktime maintains ISO27001:2022 and 9001:2015 certification.
- Access to Blinktime's systems is administered under a strict least-privilege model.
- All company personnel are given training in information security and sign confidentiality agreements.
- Blinktime personnel do not access customer data. Where access is required to operate the service or assist in a customer issue, the request for access must be formally approved by the customer.
- There is a strict password policy for all personnel. All passwords and access keys have short maximum lifetimes.
- There is a comprehensive process to deactivate users and their access if personnel leave the company.
- Blinktime conducts penetration tests by CREST accredited third parties at least annually, and undertakes regular third-party vulnerability scanning and static-code testing.
- Blinktime maintains compliance with all applicable data protection laws, including General Data Protection Regulation (GDPR), and is registered with the ICO (certificate number: ZB503436).
- All client cookies and sensitive personal information are scrubbed before logging.
Vulnerability Disclosure Program
- Please report security exploits to security@blinktime.com. Exploits which qualify under the program will be answered within 3 working days.
- Rewards will be paid based on the severity of the vulnerability with a maximum level of £500.
- The following vulnerabilities will not qualify for a reward: UI/UX bugs, denial of service attacks, social engineering, phishing exercises, non-exploitable flaws.
- Please include step-by-step instructions so we can re-produce and details on the scope and severity of vulnerability.