Security and Compliance

Last updated: 23.05.2022

Our users trust Moment Team to keep their data safe and secure, a responsibility we take seriously. If you have any questions or concerns about this, please get in touch.

Reporting Vulnerabilities

If you would like to report a vulnerability or security concern regarding any Moment product, please contact privacy@moment.team.

We will verify the report and take corrective action as soon as possible, then notify our users and the relevant authorities of the issue.

Compliance and Infrastructure

General Data Protection Regulation (GDPR)

Moment is fully GDPR-compliant, and we handle our customers' personal data with great care and respect, as outlined in our terms of service, privacy overview, and throughout this document. We use industry best practices for security and privacy, and have vetted all third-party processors we employ for compliance as well.

Data controlled by our customers and provided via our application and API is ultimately our customers' responsibility under the GDPR, but we provide tools such as data retrieval via API, custom data retention policies through access control, as well as strict security practices which allows our customers to remain compliant as well.

Infrastructure

Amazon Web Services, which hosts Moment Team, supports multiple security standards and compliance certifications including EU-U.S. Privacy Shield, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-171, ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

AWS undergoes regularly independent third-party attestation audits to provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of global and regional security frameworks dependent on region and industry. AWS participates in over 50 different audit programs. For details see the AWS Risk and Compliance Whitepaper and visit the AWS Compliance page.

Infrastructure Security

Moment is hosted on Amazon Web Services (AWS), which employs some of the best security practices in the industry. This is described in the Introduction to AWS Security Whitepaper and the AWS Overview of Security Processes Whitepaper, and includes:

  • Physical security: All data centers have multiple 2FA checks, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, laser beam intrusion detection, interior and exterior cameras with tracking, security guards, access logs, and more.

  • Hardware security: Stripped-down, custom-built servers and network equipment with a chip-based root of trust for verification, identification, and authentication, a secure boot stack with cryptographically signed BIOS, bootloader, kernel, and base operating system image, and automated patching of firmware and software vulnerabilities. Virtual appliances are isolated from the host and each other via a highly customized version of the Xen hypervisor.

  • Network security: A private, global fiber-optic network extending to points-of-presence near the end user's local ISP, with automatic encryption of all internal WAN traffic using AES, logically isolated virtual private cloud networks spanning all data centers, hardware-rooted cryptographically authenticated control plane calls, fully distributed firewall rule enforcement, IP spoofing protection, and systematic anomaly detection.

  • Data security: All data is encrypted at rest with the industry-standard AES cipher, using regularly rotated encryption keys that are integrated with cryptographically authenticated service identities and automatically deleted on service termination. All storage is also encrypted at the hardware level, and decommissioned disks are securely erased with two independent verification processes and physically destroyed on-premise.

  • Employee security: All Amazon employees undergo relevant background checks and security training, and must sign confidentiality agreements. Only a small group of employees have access to customer data, on a least-privilege need-to-know basis, with all access monitored by dedicated audit teams. Physical access to data centers is kept down to a bare minimum. All employee access is authenticated, authorized, and encrypted using a 2FA based security model.

Moment employees do not have direct physical access to data centers. Moment employees working with support and product development might have access to customer data for technical troubleshooting and support - see our document about impersonation for details.

Application Security

Authentication and Access Control

Users log in to their Moment Team accounts either by using our standard authentication system with two-factor authentication by default with a one-time password (OTP) provided through sms, email, or the Google Authenticator App, or via login page from a third-party using the OAuth2 protocol over secure connection.

We do not gain access to any external resources that might be linked to a Moment user account through an API key. Users of our API can also implement their own authentication solution to connect with external systems. The API key can be managed from within Moment.

Customers can customize access control for individual authenticated users by assigning them to various roles as required. Customers can also set custom access rules i.e. on absence or expense approval by matching individual authenticated users to specific self-defined tags.

Encryption

All access to Moment resources by end users is encrypted in transit with HTTPS transport layer security (TLS). Support for the older SSLv2, SSLv3, TLS 1.0 and TLS 1.1 protocols is disabled, as are several older cipher suites, since these have known security vulnerabilities. Internally, data is encrypted in transit as outlined under Infrastructure Security.

Data Retention and Removal

We record a complete version history for transactions and documents submitted via our web application and API. Much of the data in the system has very strict auditing requirements that extend to years (e.g. invoicing transactions) and that we are legally required to keep. Contact related data and files can be deleted via our application and API. After removal, data might still be retained in our backups, to allow for recovery in the case of accidental or malicious removal. Access to backups is highly restricted, and is provided only to Moment employees who work with infrastructure maintenance as part of their daily roles.

Application Development Lifecycle

We use continuous delivery to enable rapid and systematic development, testing, and deployment of our product, with automated error reporting and monitoring to alert us of problems. This ensures a quick and effective response to potential bugs and security issues, and reduces the risk of human error.

Data Security and Privacy

Encryption

All data is encrypted in transit and at rest as outlined in Infrastructure Security as described in this document.

Access Control

Employees access central resources using two-factor authentication via Moment, Google or Github Accounts, and only have access to the systems required for their role. All remote access is encrypted, either via HTTPS transport level security or via VPN connections. Employees will never directly access customer-controlled data unless required for support reasons which are always triggered by a direct customer request or related to a bug.

Internal services are isolated from the Internet to the extent possible, and only have access to the specific resources they need, with the minimum necessary privilege level, using a combination of service-specific cryptographically signed access tokens or passwords and network-level firewall rules.

Data Access

Users might need access to customer related data, processing of customer data and documentation of processing of customer data. This data will be available through the Moment platform for as long as the user has a valid Moment subscription. Otherwise Moment can make such information available to the user as raw data from a database dump of a customer's company or a set of companies in Moment for a fee.

Data Retention and Removal

All data is removed or anonymized as soon as possible after deletion or service cancellation. The only exception is backup retention as outlined in this document to allow for recovery in the case of accidental or malicious removal. Users can also contact us to have their data removed. Storage devices are securely decommissioned after use as outlined under Infrastructure Security.

Security Audits and Software Upgrades

We perform internal security audits on a need by need basis. Software upgrades are performed every 3 months to ensure our systems are secure and reliable, and take immediate measures whenever significant security vulnerabilities are discovered.

Geographic Location

Moment uses data centers in Norway and the EU. All customer-controlled data provided via our Service and/or API is stored permanently within the EU and/or Norway. However, during delivery to end users it may be stored transiently in locations outside of the EU, such as in CDN caches, networking equipment, and browser caches, depending on user location (e.g. offices abroad in Asia or the Americas).

Data which we control, such as our user database and email processing, may be stored in the U.S. with third-party processors employed by us in order to deliver the service. Please see our list of sub-processors on the Privacy Overview page for details.

Third-Party Processors

Customer-controlled data provided via our API is only stored in AWS, and never shared with any other third parties unless agreed upon by the customer. Other customer data for which we are a controller, such as our user database, email processing, error reporting, and so on, may be sent to certain third-party processors which we employ to deliver our services, as detailed in our Terms of Service and Privacy Overview.

We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all comply with the current privacy law, and have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors.

Business Continuity

High Availability

Moment Team is built using fully redundant and distributed systems. We run our application and systems across multiple data centers, and can withstand the loss of a single component without significant service disruptions. Components are regularly taken out of service during routine maintenance, without affecting availability, and AWS migration technology transparently migrates virtual machines to other hosts prior to infrastructure maintenance.

Incoming traffic is load balanced across our backend infrastructure. Our backend systems can be scaled to handle increased load.

Data centers have primary and alternate power sources, as well as diesel engine backup generators, each of which can provide enough electrical power to run the data center at full capacity. Data centers also have automated fire detection and suppression equipment.

Backups

In addition to real-time replication across data centers, our databases are continuously backed up on location. Backup data is encrypted and is only accessible by employees working with infrastructure maintenance.

Disaster Recovery

We make reguler full copies of our data in backups on location, for disaster recovery purposes. This is managed by separate infrastructure, using separate access controls, and is only accessible by named employees.

Although our web frontend systems are distributed across the world (via the user’s browser), our backend systems currently run across data centers in the EU (Ireland, Germany and/or Sweden). If required by customers, we might consider implementing a fully global backend infrastructure, with customer-controlled data placement. In the highly unlikely event of a region-wide outage or similar disaster, we can fully recover to a different region with no data loss within 96 hours.

Uptime

Moment’s uptime was 99.999% in 2021. Please visit our status page for details on the current state of Moment services.

Corporate Security

Employees

All employees of Moment Team AS and Millnet AB are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication, using a combination of passwords, time-based one time passwords on dedicated devices, and cryptographic private keys. Our offices are secured with alarms and a combination of electronic and mechanical locks, with access logs.

Consultants and Freelancers

We use a number of consultants and freelancers in our daily operations. All consultants are carefully vetted and are required to sign a work agreement with Moment Team AS before beginning work. The agreement outlines the confidentiality of the data the consultant will have access to while working at Moment.

Access for consultants is carefully monitored, and we use a “least-privileged” access policy, meaning that consultants only have access to systems they strictly need to perform their day to day work.

Disclosure Policy

If a security issue or data leak is discovered, we will notify the affected users and relevant authorities as soon as possible, in line with current regulations. We also publish live reports of operational issues on our status page.

ProjectHelp Note

ProjectHelp infrastructure is handled separately and this Security and Compliance overview does not cover it. For further details, please reach out to our ProjectHelp support - see https://moment.team/projecthelp for details.

Summary

Moment uses the same security mechanisms for data transfer as standard online banking and is being developed with regard to privacy legislation with a strong focus on security. This, together with good routines for operation and production setting, ensures a very stable system.

We very rarely experience downtime or problems. The system runs on a set of servers that share the load between them. Thus, individual servers can be taken out for updating without downtime. This also allows for flexible scaling of capacity. The system provides low latency and good response times under high load from many concurrent users.

If you have any questions or concerns about anything on this page, please don't hesitate to contact us at privacy@moment.team.

Last updated