Last updated: 13.05.2022

What is impersonation?

Impersonation is a function that allows our support team, product owners, company administrators/management and senior developers to access your Moment account. We can impersonate a user’s live account, or their account in a mirrored environment that has no effect on their live account. This means that we can see and access all the contents of your Moment account.

Why do we use impersonation?

We use this feature to answer technical support questions and check on issues as they are reported. If a user reports a problem that we are not able to replicate in our mirrored environment, then it may be necessary for us to access your profile to investigate the problem.

How do we track this?

We maintain logs of who is impersonating what account, and at what time. This allows us to conduct internal audits to make sure that this feature is being used for its intended purpose.

Who has access to this function?

Currently, only staff that have an immediate need to access profiles to provide technical support have access to impersonation. We regularly audit security access for employees to ensure that only those who need access to these features have access. All employees are trained in data handling regulations and sign data handling guidelines.

We offer a basic data import which is based on a Template provided by Moment and filled in by the customer.

A Basic import covers only what is described in this section. A minimum charge applies for every basic import requested by the customer.

Basic import only allows import of basic data on customers, projects and employees into Moment. This is a self-service option and you are in charge of filling in the information in our Moment Basic Import Excel file. The file will then be sent by you to the Moment's onboarding team, who will import the data into Moment.

Last updated: 29.05.2020

Moment offers a range of courses for administrators, quality and project managers and other super users of our business tool. These are provided for your convenience in the form of private and open courses delivered online:

• Private courses: additional training for client’s staff in the form of a tailor made private course. We recommend that this training be performed after the client has been familiarized with Moment, eg. 1-6 months after start-up. Course package details will be presented separately and at client’s request.

• Public courses: We provide a range of public courses. Course package details will be presented separately through our newsletter, website, order form or at client’s request.

By ordering training from Moment you confirm order bookings and that your company will be sent an invoice for the course fee within 14 days. It is not possible to cancel courses, but if one or more attendees of your company are not be able to attend we can reserve a place for a course later.

Welcome to the privacy guide for Moment. Our company is committed to following the General Data Protection Regulation (GDPR) laws that have been put into place. Here you will find an overview of what data we are storing and why, what 3rd parties we work with, and the legal and ethical guidelines we follow as a company to ensure the protection of your privacy.

Our procedures

We are open in regards to our internal procedures and protections that we have put into place. All employees have been educated in data handling regulations and confidentiality. They are required to sign an agreement that they have completed their training, and must sign and agree to our data handling guidelines. In addition to educating all staff members, we regularly conduct access level audits and update staff if any changes to the law have taken place.

All of our systems are encrypted with SSL. We do not send any customer/personal data unencrypted over the internet.

(All staff has completed and signed. For privacy reasons signatures have been omitted)

Data Processor Agreement & Terms and Conditions

Here you will find the current version of our Data Processor Agreement (DPA) as well as Terms and Conditions:

Sub-processors information pages

Below is a list of the privacy pages to our data sub-processors (as listed in the DPA). Please note that the links below are to third party websites.

Impersonation

Impersonation is a function that we use in technical support to allow us to troubleshoot problems. For an in depth explanation on impersonation, see this article: .

Who to contact

In the event that you have any questions about any of the content listed, or have any requests, these can be directed to our email address . We can also be reached by telephone during normal business hours at +47 22 82 87 00.

We describe herein a typical onboarding process for a new customer. Based on our experience we offer an onboarding package. This package includes a specific number of hours for communication, meetings and preparation between Moment and the customer. This is enough for an ordinary onboarding as described in the phases of implementation in this page. However, should the hours included in the onboarding be exceeded then Moment will bill for these hours which will be priced as per Moment’s consulting rate. The customer will be notified when the included hours have been used.

Moment offer accepted

Moment Team will present the client with a detailed price offer, and ask for a decision within a certain date. The offer acceptance date is the starting point of the subscription to Moment, the implementation timeline herein described and the onboarding towards a transition of the client to Moment.

We provide a wide range of consulting services that cover simple tasks such as setting up your tag system, creating and implementing new routines or setting up new systems or integrations with Moment. If you have more advanced needs, one of our consultants can help you address project management, profitability, workflow optimization, accounting integration, resource planning and best use of Moment on a more dedicated basis so we can make sure to assess areas for improvement and implement best practices for the client’s company.

Make sure to check also the Advanced Import Services and Moment Training Courses sections.

A few examples of common additional consulting services related to onboarding and data import follows:

Finding the perfect workflow

Analysis of the company’s routines and advice on how to get the most out of Moment based on your needs, before training. We often see that when companies change systems, eg. for project management, a new line of possibilities opens, and there can be internal discussions on how to adapt routines to the possibilities Moment gives. This normally happens during training and we see that it is not necessarily the best use of time, since many project managers will take part and spend a lot of (non-billable) time. We highly recommend to book a meeting with our onboarding representative to go through your needs so that we can suggest solutions on how to use Moment in the best way - before the training starts. In that way you will feel more in control of how the system works and how you want your employees to use the system.

Tailored user manual for your company

We make a user guide for your company explaining the core steps of processes in Moment, eg. how to set up a project, add price models, create invoices and make reports

Last updated: 31.03.2020

Fakturasalg av Moment og Aprila Bank

Fakturasalg er ny tjeneste som tilbys direkte i Moment. Det koster ingenting å aktivere tjenesten og den fungerer sømløst som et valg under faktureringen din som gir deg muligheten til å selge fakturaer og få penger inn på konto i løpet av 24 timer.

Du velger selv om du vil selge eller fakturere på vanlig måte. Det vil alltid vœre tydelig hva den nøyaktige kostnaden av å selge en faktura er.

Tjenesten er et samarbeid mellom Aprila og Moment. Banktjenesten leveres av Aprila som tilbyr enkle finansieringsløsninger for små og mellomstore bedrifter direkte i deres faktureringssystem. Moment er en formidlingskanal for tjenesten.

Ved å søke om bruk av denne tjenesten godkjenner du samtidig avtalevilkårene som beskrevet i dette dokumentet. For å kunne bruke tjenesten må du registrere selskapet ditt i Aprila Bank. Kort tid etter dette vil du få et varsel i Moment om at tjenesten er klar for bruk.

AVTALEVILKÅR FOR FAKTURASALG

Aprila er en leverandør av banktjenester for bedriftsmarkedet. Aprila og Moment har i samarbeid utviklet en løsning der Aprilas banktjenester tilbys direkte i Moment sitt faktureringssystem og Moment er en formidlingskanal for tjenesten.

For å kunne tilby denne tjenesten trenger vi ditt samtykke for å oversende følgende informasjon fra Moment til Aprila:

• Selskapsinformasjon for ditt firma

• Regnskapsinformasjon for ditt firma

• Din e-postadresse

• Dine kunders e-postadresse

Fakturaens kriterier:

• Fakturamottaker er en bedrift med adresse i Norge og et gyldig, norsk organisasjonsnummer

• Fakturaens beløp er i norske kroner og pålydende er 200 kroner eller mer

• Fakturaen er ikke av type abonnement eller samlefaktura

• Fakturaen er av type elektronisk og ikke en papirfaktura

Alle personer med faktureringstilgang i Moment kan i utgangspunktet selge en faktura, så vœr oppmerksom på hvilke personer som har denne tilgangen i kontoen.

NB! Det er viktig at solgt faktura er oppført med korrekt fakturamottaker (org.nr). Salg av faktura kan ikke reverseres etter at transaksjonen er sent til utbetaling. Dersom fakturaen må krediteres kan ikke salgskostnaden tilbakebetales.

Last updated: 29.05.2020

We know how critical your billing system is. For this reason, we strive to make sure your transition to Moment is done as smoothly as possible. We onboard customers to Moment multiple times per week, and we approach this in a structured and streamlined way to make sure you and your team gain the confidence you need to get started with our services in a good way and until you are finished with your first billing as described below. From there on, our support team will be your contact point. End-user support for day-to-day Moment tasks is included in our subscription services.

‌A typical onboarding covers what is described in the “implementation timeline and services” section below. Should the customer request any optional add-ons, training or additional consulting services related to onboarding then Moment will bill these services additionally. Such services will be priced per consulting hour.

Last updated: 29.05.2020

When your company transitions to Moment, you have the option of importing essential data from you current project management system. This is an optional service, but most of our new clients make use of it. With data import, you can start using Moment almost as if it's always been your project management system, since mostly all data will be there.

We offer the following options:

Last updated: 13.05.2022

Overview

This is the privacy policy for the free Moment Mobile app. This service is provided by Moment Team AS at no cost and is intended for existing users of Moment project management web application. This app acts as an extension of the Moment project management web application, and requires a Moment subscription and login.

Last updated: 21.11.2022

Please read these Terms and Conditions ("Terms") carefully before using the https://app.moment.team/ website or mobile application (the "service") operated by Moment Team AS ("us", "we", or "our").

Your access to and use of the service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users, and others who access or use the service.

By accessing or using the service you agree to be bound by these Terms. If you disagree with any part of the terms then you may not access the service.

Description of service

Moment is a cloud-based software for invoicing, project management, and time registration. When purchasing a subscription, the customer purchases the right to use the services as stated in these Terms as long as the customer has a valid and paid subscription.

Subscriptions and pricing

Moment (the service) is billed on a subscription basis. Billing is done in advance quarterly, unless another agreement has been made at the time of purchase. The customer will be asked to supply certain information relevant to your purchase (billing/financial, company information) in order for us to bill for the service. Invoices are sent by email or electronic invoice.

Unless otherwise specified, all subscriptions are renewed automatically. Services can be canceled and terminated at anytime by the customer, unless another agreement has been made at the time of purchase. If the service is terminated after an advance payment has been received, Moment will credit the customer the remainder of the balance.

Moment Team will add taxes or duties where Moment Team is required by law to pay or collect them, this will be paid by the customer in addition to the subscription fees.

All Moment prices are subject to a yearly index regulation, in line with the development in the market, with the effect from the 1st of January each year.

Additional services and purchases

When purchasing any Moment specific product or service (e.g., Moment courses or professional services), the same information that has been supplied for subscription billing will be used for the billing of purchases. If different billing information is to be used, this needs to be specified at the time of purchase.

Moment offers additional services including in-app purchases and sales in collaboration with third party partners. Payment methods for billing/paying these purchases/sales are specified at the time of purchase/sale.

Termination

If the customer wants to discontinue use of the service, notice including an end date must be given to Moment Team. The customer must ensure to collect all information and data that they desire to retain or have available after the termination takes effect. Moment Team reserves the right to irreversibly delete all company data belonging to the customer within 30 days, after the termination has taken effect.

Termination for default

Moment may, by written notice to the customer terminate the subscription and the terms with immediate effect without any liability whatsoever if, (i) The customer is in material breach of any provisions of the Terms or any agreement with Moment Team, or (ii) The customer or a user uses the services as a part of a crime or any illegal behavior (including without limitation any kind of fraud), (iii) The customer or user uses the services in a manner that may result in losses or the risk of loss for Moment Team AS or any third party; (iiii) Any proceeding in insolvency, bankruptcy, reorganization, or liquidation are instituted against the customer voluntarily or involuntarily.

Upon occurrence of any of the events referred to above, all payments to be made by the customer to Moment Team shall become immediately due and payable.

Payment default of more than 60 days is always considered a material breach, provided that Moment Team has given at least one payment reminder by email. After 60 days of non-payment, Moment team reserves the right to suspend services, which may be returned upon receipt of payment.

If entered into a fixed length subscription agreement, the customer shall be entitled to terminate the subscription and terms with immediate effect if (i) operational disruptions or error occur to such an extent that the customer does not have access to the services for a continuous period of 14 days/ 2 weeks or (ii) Moment Team is in material breach of its obligations under the terms and fails to effect rectification within 14 days.

Legal requirement applicable for the customer

The customer is responsible for compliance with any specific legal requirements for their business (e.g. health or financial). Moment does not guarantee compliance with legal requirements applicable for your use of the services. This includes but is not limited to any legal requirements regarding time registration, invoicing, enforcement of money claims, and outsourcing.

Liability

Subject to the limitations set forward in this clause, Moment Team shall only be liable for direct damages. Moment Team’s liability under the Terms shall be limited to an amount corresponding to the fees paid by the customer for the service during the period of 12 months immediately prior to the breach of contract that entitles damages. Moment Team is not liable for indirect or consequential losses, including but not limited to loss of profits or anticipated savings, loss of revenue, loss of content or any other data.

Maintenance and downtime

Moment Team and the customer agree that the service will not always be completely free of errors and that the improvement of Moment is a continuous process. The successful use of the service is dependent on equipment and other factors (such as internet connection) that the customer has responsibility for. Moment Team will ensure to our best ability that the service is up and running. If a complete disruption in service should occur, this will be resolved within a 24 hour period.

Moment Team reserves the right to make improvements, add, modify, or remove functionality, or correct any errors or defects in the service at its sole discretion, without any liability resulting from such acts.

Force Majeure

Moment Team is not responsible or liable for any failure or delay in performance due to circumstances beyond its reasonable control, including but not limited to, war, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, service outages resulting from equipment and or software failure, telecommunication failure, power failure, or failure of third party service provider. The performance of this agreement shall then be suspended for as long as any such event prevents the affected party from performing its obligations under this agreement.

Intellectual property rights

The agreement between Moment Team and the customer does not constitute a transfer of any intellectual property rights from Moment Team. Moment Team retains ownership of all intellectual property rights and know-how related to the service, including present and future versions. The customer has no right to sell, lend, sub-license, distribute in any way (free of charge), create derivative works of, copy, frame, access, or try to get access to the source code of, mirror or reverse engineer any part or feature of the service.

Proprietary rights in content

All content uploaded to, transferred through, posted, entered or processed through Moment by the customer/users shall remain the sole property and responsibility of the customer or its respective legal owner. Moment has no liability or responsibility for such content. The customer owns and is responsible for all data, information, and material of any kind uploaded into the service by the customer or users. The customer is data controller for all data inputted into the service, including personal data.

Confidentiality

Both parties agree not to disclose confidential information about the other party or contractual details to any third party except for the purpose of providing the services, fulfilling obligations set out in the Terms, or fulfilling any legal requirement.

Moment Analytics

We collect anonymized data for industry statistics, and publish this data for the customers and public. It is optional to participate.

Norwegian law

These terms shall be governed by and interpreted in accordance with the laws of Norway. Any disputes shall be referred to and finally resolved by the courts of Norway. The legal venue is Oslo City Court.

Changes

We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material we will try to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.

Contact Us

If you have any questions about these Terms, please contact us at [email protected].

Terms version from 01.01.2021 is .

In this section is described what we normally do not import during a transition to Moment. However, in some cases there is business-critical data that customers want in Moment, so we have compiled an overview of such needs which can be requested by the customer.

To the extent that it is possible to do so, we can provide the services described in the sections in this page. All such services will be provided by customer request and will be priced per consulting hour, without exceptions.

Make sure to check also the Advanced Onboarding Services and Moment Training Courses sections.

Help with organizing import data

We recommend this if you request a data import!

We have experienced several times that the data in the previous system (that we can import to Moment) needs a go through to make sure everything is in order. Systems often have different ways of organizing the data (eg. project and customer numbers, e-mail addresses and other info could be setup up in different ways, sometimes we have seen negative time records and there can be duplicates and other issues). We encourage all new users to do a “clean up” before starting the import. With our long experience of imports from different systems we can help you to find which data that should be gone through. In that way you will have a much better experience when you start with Moment and see that all the imported data is in order

Extra/additional imports

Sometimes you might want to have an extra round of import, either from another system, or you want something additional to what you agreed on in the first place, eg. invoice pdf’s or expenses. Also, if the data that was imported was not “cleaned up” correctly in advance of the import (which is the responsibility of the customer, but we can help you out - see point above), there might also be a need to do parts of the import over again. We can help you with extra imports as long as the data is available. See the Moment Onboarding - Data Import document for details.

Extra time balance / flex time

We do not import this, so you'll have to make adjustments to each employee's balance when you start using Moment. It's usually very simple and easy, and we'll show you how to do it. This is a one-time job that only needs to be done once.

Holiday balance

You must define this for each employee yourself. We do not have an overview of how many vacation days the different employees have each year and how much they can transfer from last year. This is very easy to adjust, and we'll show you how.

Some invoice info: Credit terms, due and payment status

Credit terms for specific projects are not transferred, and you should define this yourself for a) Company wide level, b) Customer level or c) Project level.

All invoices that are past due are set as paid. You must then go through and remove the payment on the overdue invoices that have not yet been paid.

Project pricing - hourly rate, fixed price, product price, etc. at both current and historical hours and projects

As a rule, we do not import this. Often it is more straightforward to set prices for projects that are to be invoiced in Moment than to have them imported. Especially when talking about different hourly rates for different employees, where the price may have also evolved over time. There may also be different prices for different activities / phases within the project. Such things make importing such data a little challenging. If there is a great desire to include hourly rates, we can look into it and get this imported if it can be done in a good way.

PDF Invoice

We have the option to import the actual invoice PDF (which has previously been sent to the customer). This requires that we either receive it or if it is possible to retrieve it for us in another way. Here we need to have 1 physical file per invoice (not 1 PDF with eg 10000 pages where each page is an invoice) and the file name contains the invoice number.

Set-up of invoice exports and integration

This is something you set up after the import, preferably together with the accountant. Some accounting systems only have the option of exporting (where your invoice manager manually exports via a button after each invoice via a download file or e-mail) and some have full integration where invoice information flows into the accounting system on an ongoing basis. You need to consult with your accounting consultant what is possible, and there is an overview in Moment which setup we have available. We can also help set this up if you wish.

Activities, tasks and products

If possible, this is something we can export from the old system and import into Moment.

Additional customer information

Additional customer information beyond what is described in our Standard import section is not included. If possible, this is something we can export from the old system and import into Moment:

• Customer status (whether the customer is active or not)

• Customer reference (which appears on the invoice)

• Invoice recipient (e-mail address to which invoices on the customer in question should be sent)

• Any tags

Status of hours - invoiced or not invoiced

This is something you have to go through yourself since in most cases we do not have the opportunity to have an overview of what is invoiced and not. At Moment, you can choose between "not approved", "approved", "invoiced" and "returned for correction". If possible, this is something we can export from the old system and import into Moment.

Expenses

This is something we don't normally import, but if the previously used system has a good overview of expenses that can easily be imported into Moment, this is something we can help with. These elements will then be possible to get into place in Moment:

• Which project and activity the expense belongs to

• Expense category if something has been used

• Description of the expense

• The title of the expense

Tags

If feasible, this is something we can export from the old system and import into Moment.

Checklist

If feasible, this is something we can export from an old system or from existing documents and import into the Moment Quality Management System for use in projects and tasks.

Import from several different systems

This will be relevant when data is in both the accounting system and the time tracking system or similar. If possible, we can import from both systems although this will count as two different imports.

Updated number series to match the accounting system

Customers, projects and invoices may have number series that do not match what the accounting system requires. This means that the transfer of invoice information from Moment to the accounting system can crash. This is something we can help with updating.

Other

If you feel that something is missing from the overview here, that you really want to bring with you in Moment then just let us now and we will look into it. If it is possible to import, then we will do what we can to get it done.

Moment’s Standard Import includes data that we typically import as part of the transition from another project management system. The data we import is detailed in this page, but only if the data is available in your current system in a meaningful, logical format. We'll have an ongoing dialogue during the import process, and agree on solutions if any questions or challenges arise.

A Standard Import only covers what is described in this section. Should you request any additional data to be imported, or any additional consulting services related to data import, you will be billed for these services additionally. Such services are priced per consulting hour.

If you need to import any data additional to what is described in this section, please see the Advanced Import section for further details.

Employees

• Name

• Title

• Phone #

• E-mail

Customers

• Customer number

• Customer name

• Company registration number (org.no)

• Phone #

Contacts (for your customers)

• Name

• Job title

• Phone #

• E-mail

Projects

• Project number

• Project name

• Customer

• Start date

Time Tracking Records (Hours)

• Coworker

• Project

• Activity, Phase or similar

• Date

Absence records

• Coworker

• Date

• Number of hours / minutes

• Absence category

Invoice information*

• Which project the invoice is from**

• Invoice number

• Invoice date

• Due date

*NB! We do not import the actual PDF Invoice to Moment. If you need this to be done additionally, please see the Advanced Import section below for details.

**NB: Here we are dependent on a link between project and invoice in the previous system. Sometimes invoices are only connected to customers. If there is no link between invoice and project, we will create a "dummy" project where all invoices will be collected and then the invoices will be linked to the correct customer, if there is a link between invoice and customer in the previous system.

***NB: This is about prices in finished / old invoices and not pricing of hours / product / etc. that will be billed in the future. Project prices are NOT included as standard import, and it's best that you have control over and submit this yourself. You are responsible for updating the price model for all projects in Moment before billing can take place.

1. The purpose of the Data Processor Agreement

The purpose of this Data Processing Agreement (the “DPA”) is to regulate the parties' rights and obligations in connection with the Data Processor (Moment Team AS, org.nr: 927 234 238) processing personal data on behalf of the Data Controller (the customer). The purpose of the DPA is to comply with the requirements for data processor agreements according to the Norwegian Personal Data Act (LOV-2000-04-14-31) and Personal Data Regulations, cf. section 15 of the Personal Data Act. The Agreement also seeks to comply with the General Data Protection Regulation ((EU) 2016/679). This DPA therefore aims to fulfill the statutory requirements in Norway after the General Data Protection Regulation has been implemented in Norwegian law.

Last updated: 23.05.2022

Our users trust Moment Team to keep their data safe and secure, a responsibility we take seriously. If you have any questions or concerns about this, please get in touch.

Reporting Vulnerabilities

If you would like to report a vulnerability or security concern regarding any Moment product, please contact .

We will verify the report and take corrective action as soon as possible, then notify our users and the relevant authorities of the issue.

Compliance and Infrastructure

General Data Protection Regulation (GDPR)

Moment is fully GDPR-compliant, and we handle our customers' personal data with great care and respect, as outlined in our , , and throughout this document. We use industry best practices for security and privacy, and have vetted all third-party processors we employ for compliance as well.

Data controlled by our customers and provided via our application and API is ultimately our customers' responsibility under the GDPR, but we provide tools such as data retrieval via API, custom data retention policies through access control, as well as strict security practices which allows our customers to remain compliant as well.

Infrastructure

Amazon Web Services, which hosts Moment Team, supports multiple security standards and compliance certifications including EU-U.S. Privacy Shield, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-171, ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.

AWS undergoes regularly independent third-party attestation audits to provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of global and regional security frameworks dependent on region and industry. AWS participates in over 50 different audit programs. For details see the and visit the .

Infrastructure Security

Moment is hosted on Amazon Web Services (AWS), which employs some of the best security practices in the industry. This is described in the and the , and includes:

• Physical security: All data centers have multiple 2FA checks, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, laser beam intrusion detection, interior and exterior cameras with tracking, security guards, access logs, and more.

• Hardware security: Stripped-down, custom-built servers and network equipment with a chip-based root of trust for verification, identification, and authentication, a secure boot stack with cryptographically signed BIOS, bootloader, kernel, and base operating system image, and automated patching of firmware and software vulnerabilities. Virtual appliances are isolated from the host and each other via a highly customized version of the Xen hypervisor.

• Network security: A private, global fiber-optic network extending to points-of-presence near the end user's local ISP, with automatic encryption of all internal WAN traffic using AES, logically isolated virtual private cloud networks spanning all data centers, hardware-rooted cryptographically authenticated control plane calls, fully distributed firewall rule enforcement, IP spoofing protection, and systematic anomaly detection.

Moment employees do not have direct physical access to data centers. Moment employees working with support and product development might have access to customer data for technical troubleshooting and support - see our for details.

Application Security

Authentication and Access Control

Users log in to their Moment Team accounts either by using our standard authentication system with two-factor authentication by default with a one-time password (OTP) provided through sms, email, or the Google Authenticator App, or via login page from a third-party using the OAuth2 protocol over secure connection.

We do not gain access to any external resources that might be linked to a Moment user account through an API key. Users of our API can also implement their own authentication solution to connect with external systems. The API key can be managed from within Moment.

Customers can customize access control for individual authenticated users by assigning them to various roles as required. Customers can also set custom access rules i.e. on absence or expense approval by matching individual authenticated users to specific self-defined tags.

Encryption

All access to Moment resources by end users is encrypted in transit with HTTPS transport layer security (TLS). Support for the older SSLv2, SSLv3, TLS 1.0 and TLS 1.1 protocols is disabled, as are several older cipher suites, since these have known security vulnerabilities. Internally, data is encrypted in transit as outlined under .

Data Retention and Removal

We record a complete version history for transactions and documents submitted via our web application and API. Much of the data in the system has very strict auditing requirements that extend to years (e.g. invoicing transactions) and that we are legally required to keep. Contact related data and files can be deleted via our application and API. After removal, data might still be retained in our backups, to allow for recovery in the case of accidental or malicious removal. Access to backups is highly restricted, and is provided only to Moment employees who work with infrastructure maintenance as part of their daily roles.

Application Development Lifecycle

We use continuous delivery to enable rapid and systematic development, testing, and deployment of our product, with automated error reporting and monitoring to alert us of problems. This ensures a quick and effective response to potential bugs and security issues, and reduces the risk of human error.

Data Security and Privacy

Encryption

All data is encrypted in transit and at rest as outlined in as described in this document.

Access Control

Employees access central resources using two-factor authentication via Moment, Google or Github Accounts, and only have access to the systems required for their role. All remote access is encrypted, either via HTTPS transport level security or via VPN connections. Employees will never directly access customer-controlled data unless required for support reasons which are always triggered by a direct customer request or related to a bug.

Internal services are isolated from the Internet to the extent possible, and only have access to the specific resources they need, with the minimum necessary privilege level, using a combination of service-specific cryptographically signed access tokens or passwords and network-level firewall rules.

Data Access

Users might need access to customer related data, processing of customer data and documentation of processing of customer data. This data will be available through the Moment platform for as long as the user has a valid Moment subscription. Otherwise Moment can make such information available to the user as raw data from a database dump of a customer's company or a set of companies in Moment for a fee.

Data Retention and Removal

All data is removed or anonymized as soon as possible after deletion or service cancellation. The only exception is backup retention as outlined in this document to allow for recovery in the case of accidental or malicious removal. Users can also contact us to have their data removed. Storage devices are securely decommissioned after use as outlined under .

Security Audits and Software Upgrades

We perform internal security audits on a need by need basis. Software upgrades are performed every 3 months to ensure our systems are secure and reliable, and take immediate measures whenever significant security vulnerabilities are discovered.

Geographic Location

Moment uses data centers in Norway and the EU. All customer-controlled data provided via our Service and/or API is stored permanently within the EU and/or Norway. However, during delivery to end users it may be stored transiently in locations outside of the EU, such as in CDN caches, networking equipment, and browser caches, depending on user location (e.g. offices abroad in Asia or the Americas).

Data which we control, such as our user database and email processing, may be stored in the U.S. with third-party processors employed by us in order to deliver the service. Please see our list of sub-processors on the page for details.

Third-Party Processors

Customer-controlled data provided via our API is only stored in AWS, and never shared with any other third parties unless agreed upon by the customer. Other customer data for which we are a controller, such as our user database, email processing, error reporting, and so on, may be sent to certain third-party processors which we employ to deliver our services, as detailed in our and .

We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all comply with the current privacy law, and have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors.

Business Continuity

High Availability

Moment Team is built using fully redundant and distributed systems. We run our application and systems across multiple data centers, and can withstand the loss of a single component without significant service disruptions. Components are regularly taken out of service during routine maintenance, without affecting availability, and AWS migration technology transparently migrates virtual machines to other hosts prior to infrastructure maintenance.

Incoming traffic is load balanced across our backend infrastructure. Our backend systems can be scaled to handle increased load.

Data centers have primary and alternate power sources, as well as diesel engine backup generators, each of which can provide enough electrical power to run the data center at full capacity. Data centers also have automated fire detection and suppression equipment.

Backups

In addition to real-time replication across data centers, our databases are continuously backed up on location. Backup data is encrypted and is only accessible by employees working with infrastructure maintenance.

Disaster Recovery

We make reguler full copies of our data in backups on location, for disaster recovery purposes. This is managed by separate infrastructure, using separate access controls, and is only accessible by named employees.

Although our web frontend systems are distributed across the world (via the user’s browser), our backend systems currently run across data centers in the EU (Ireland, Germany and/or Sweden). If required by customers, we might consider implementing a fully global backend infrastructure, with customer-controlled data placement. In the highly unlikely event of a region-wide outage or similar disaster, we can fully recover to a different region with no data loss within 96 hours.

Uptime

Moment’s uptime was 99.999% in 2021. Please visit our for details on the current state of Moment services.

Corporate Security

Employees

All employees of Moment Team AS and Millnet AB are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication, using a combination of passwords, time-based one time passwords on dedicated devices, and cryptographic private keys. Our offices are secured with alarms and a combination of electronic and mechanical locks, with access logs.

Consultants and Freelancers

We use a number of consultants and freelancers in our daily operations. All consultants are carefully vetted and are required to sign a work agreement with Moment Team AS before beginning work. The agreement outlines the confidentiality of the data the consultant will have access to while working at Moment.

Access for consultants is carefully monitored, and we use a “least-privileged” access policy, meaning that consultants only have access to systems they strictly need to perform their day to day work.

Disclosure Policy

If a security issue or data leak is discovered, we will notify the affected users and relevant authorities as soon as possible, in line with current regulations. We also publish live reports of operational issues on our .

ProjectHelp Note

ProjectHelp infrastructure is handled separately and this Security and Compliance overview does not cover it. For further details, please reach out to our ProjectHelp support - see for details.

Summary

Moment uses the same security mechanisms for data transfer as standard online banking and is being developed with regard to privacy legislation with a strong focus on security. This, together with good routines for operation and production setting, ensures a very stable system.

We very rarely experience downtime or problems. The system runs on a set of servers that share the load between them. Thus, individual servers can be taken out for updating without downtime. This also allows for flexible scaling of capacity. The system provides low latency and good response times under high load from many concurrent users.

If you have any questions or concerns about anything on this page, please don't hesitate to contact us at .