Impersonation is a function that allows our support team, product owners, company administrators/management and senior developers to access your Moment account. We can impersonate a user’s live account, or their account in a mirrored environment that has no effect on their live account. This means that we can see and access all the contents of your Moment account.
We use this feature to answer technical support questions and check on issues as they are reported. If a user reports a problem that we are not able to replicate in our mirrored environment, then it may be necessary for us to access your profile to investigate the problem.
We maintain logs of who is impersonating what account, and at what time. This allows us to conduct internal audits to make sure that this feature is being used for its intended purpose.
Currently, only staff that have an immediate need to access profiles to provide technical support have access to impersonation. We regularly audit security access for employees to ensure that only those who need access to these features have access. All employees are trained in data handling regulations and sign data handling guidelines.
Welcome to the privacy guide for Moment. Our company is committed to following the General Data Protection Regulation (GDPR) laws that have been put into place. Here you will find an overview of what data we are storing and why, what 3rd parties we work with, and the legal and ethical guidelines we follow as a company to ensure the protection of your privacy.
We are open in regards to our internal procedures and protections that we have put into place. All employees have been educated in data handling regulations and confidentiality. They are required to sign an agreement that they have completed their training, and must sign and agree to our data handling guidelines. In addition to educating all staff members, we regularly conduct access level audits and update staff if any changes to the law have taken place.
All of our systems are encrypted with SSL. We do not send any customer/personal data unencrypted over the internet.
(All staff has completed and signed. For privacy reasons signatures have been omitted)
Here you will find the current version of our Data Processor Agreement (DPA) as well as Terms and Conditions:
Below is a list of the privacy pages to our data sub-processors (as listed in the DPA). Please note that the links below are to third party websites.
Impersonation is a function that we use in technical support to allow us to troubleshoot problems. For an in depth explanation on impersonation, see this article: .
In the event that you have any questions about any of the content listed, or have any requests, these can be directed to our email address . We can also be reached by telephone during normal business hours at +47 22 82 87 00.
Our users trust Moment Team to keep their data safe and secure, a responsibility we take seriously. If you have any questions or concerns about this, please get in touch.
If you would like to report a vulnerability or security concern regarding any Moment product, please contact .
We will verify the report and take corrective action as soon as possible, then notify our users and the relevant authorities of the issue.
Moment is fully GDPR-compliant, and we handle our customers' personal data with great care and respect, as outlined in our , , and throughout this document. We use industry best practices for security and privacy, and have vetted all third-party processors we employ for compliance as well.
Data controlled by our customers and provided via our application and API is ultimately our customers' responsibility under the GDPR, but we provide tools such as data retrieval via API, custom data retention policies through access control, as well as strict security practices which allows our customers to remain compliant as well.
Amazon Web Services, which hosts Moment Team, supports multiple security standards and compliance certifications including EU-U.S. Privacy Shield, PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, NIST 800-171, ISO/IEC 27001:2013, 27017:2015, 27018:2019, and ISO/IEC 9001:2015 and CSA STAR CCM v3.0.1.
AWS undergoes regularly independent third-party attestation audits to provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of global and regional security frameworks dependent on region and industry. AWS participates in over 50 different audit programs. For details see the and visit the .
Moment is hosted on Amazon Web Services (AWS), which employs some of the best security practices in the industry. This is described in the and the , and includes:
Physical security: All data centers have multiple 2FA checks, alarms, vehicle access barriers, perimeter fencing, metal detectors, biometrics, laser beam intrusion detection, interior and exterior cameras with tracking, security guards, access logs, and more.
Hardware security: Stripped-down, custom-built servers and network equipment with a chip-based root of trust for verification, identification, and authentication, a secure boot stack with cryptographically signed BIOS, bootloader, kernel, and base operating system image, and automated patching of firmware and software vulnerabilities. Virtual appliances are isolated from the host and each other via a highly customized version of the Xen hypervisor.
Network security: A private, global fiber-optic network extending to points-of-presence near the end user's local ISP, with automatic encryption of all internal WAN traffic using AES, logically isolated virtual private cloud networks spanning all data centers, hardware-rooted cryptographically authenticated control plane calls, fully distributed firewall rule enforcement, IP spoofing protection, and systematic anomaly detection.
Moment employees do not have direct physical access to data centers. Moment employees working with support and product development might have access to customer data for technical troubleshooting and support - see our for details.
Users log in to their Moment Team accounts either by using our standard authentication system with two-factor authentication by default with a one-time password (OTP) provided through sms, email, or the Google Authenticator App, or via login page from a third-party using the OAuth2 protocol over secure connection.
We do not gain access to any external resources that might be linked to a Moment user account through an API key. Users of our API can also implement their own authentication solution to connect with external systems. The API key can be managed from within Moment.
Customers can customize access control for individual authenticated users by assigning them to various roles as required. Customers can also set custom access rules i.e. on absence or expense approval by matching individual authenticated users to specific self-defined tags.
All access to Moment resources by end users is encrypted in transit with HTTPS transport layer security (TLS). Support for the older SSLv2, SSLv3, TLS 1.0 and TLS 1.1 protocols is disabled, as are several older cipher suites, since these have known security vulnerabilities. Internally, data is encrypted in transit as outlined under .
We record a complete version history for transactions and documents submitted via our web application and API. Much of the data in the system has very strict auditing requirements that extend to years (e.g. invoicing transactions) and that we are legally required to keep. Contact related data and files can be deleted via our application and API. After removal, data might still be retained in our backups, to allow for recovery in the case of accidental or malicious removal. Access to backups is highly restricted, and is provided only to Moment employees who work with infrastructure maintenance as part of their daily roles.
We use continuous delivery to enable rapid and systematic development, testing, and deployment of our product, with automated error reporting and monitoring to alert us of problems. This ensures a quick and effective response to potential bugs and security issues, and reduces the risk of human error.
All data is encrypted in transit and at rest as outlined in as described in this document.
Employees access central resources using two-factor authentication via Moment, Google or Github Accounts, and only have access to the systems required for their role. All remote access is encrypted, either via HTTPS transport level security or via VPN connections. Employees will never directly access customer-controlled data unless required for support reasons which are always triggered by a direct customer request or related to a bug.
Internal services are isolated from the Internet to the extent possible, and only have access to the specific resources they need, with the minimum necessary privilege level, using a combination of service-specific cryptographically signed access tokens or passwords and network-level firewall rules.
Users might need access to customer related data, processing of customer data and documentation of processing of customer data. This data will be available through the Moment platform for as long as the user has a valid Moment subscription. Otherwise Moment can make such information available to the user as raw data from a database dump of a customer's company or a set of companies in Moment for a fee.
All data is removed or anonymized as soon as possible after deletion or service cancellation. The only exception is backup retention as outlined in this document to allow for recovery in the case of accidental or malicious removal. Users can also contact us to have their data removed. Storage devices are securely decommissioned after use as outlined under .
We perform internal security audits on a need by need basis. Software upgrades are performed every 3 months to ensure our systems are secure and reliable, and take immediate measures whenever significant security vulnerabilities are discovered.
Moment uses data centers in Norway and the EU. All customer-controlled data provided via our Service and/or API is stored permanently within the EU and/or Norway. However, during delivery to end users it may be stored transiently in locations outside of the EU, such as in CDN caches, networking equipment, and browser caches, depending on user location (e.g. offices abroad in Asia or the Americas).
Data which we control, such as our user database and email processing, may be stored in the U.S. with third-party processors employed by us in order to deliver the service. Please see our list of sub-processors on the page for details.
Customer-controlled data provided via our API is only stored in AWS, and never shared with any other third parties unless agreed upon by the customer. Other customer data for which we are a controller, such as our user database, email processing, error reporting, and so on, may be sent to certain third-party processors which we employ to deliver our services, as detailed in our and .
We have vetted the security and compliance of all such processors, and all transfers are performed securely and in line with best practices. Processors outside of the EU all comply with the current privacy law, and have signed data processing addendums with us for the processing of personal data. We never share any customer data, personal or otherwise, with third parties unless employed by us under contract as data processors.
Moment Team is built using fully redundant and distributed systems. We run our application and systems across multiple data centers, and can withstand the loss of a single component without significant service disruptions. Components are regularly taken out of service during routine maintenance, without affecting availability, and AWS migration technology transparently migrates virtual machines to other hosts prior to infrastructure maintenance.
Incoming traffic is load balanced across our backend infrastructure. Our backend systems can be scaled to handle increased load.
Data centers have primary and alternate power sources, as well as diesel engine backup generators, each of which can provide enough electrical power to run the data center at full capacity. Data centers also have automated fire detection and suppression equipment.
In addition to real-time replication across data centers, our databases are continuously backed up on location. Backup data is encrypted and is only accessible by employees working with infrastructure maintenance.
We make reguler full copies of our data in backups on location, for disaster recovery purposes. This is managed by separate infrastructure, using separate access controls, and is only accessible by named employees.
Although our web frontend systems are distributed across the world (via the user’s browser), our backend systems currently run across data centers in the EU (Ireland, Germany and/or Sweden). If required by customers, we might consider implementing a fully global backend infrastructure, with customer-controlled data placement. In the highly unlikely event of a region-wide outage or similar disaster, we can fully recover to a different region with no data loss within 96 hours.
Moment’s uptime was 99.999% in 2021. Please visit our for details on the current state of Moment services.
All employees of Moment Team AS and Millnet AB are required to sign confidentiality agreements, and are only given access to the systems they need for their role. Employee computers are secured with encrypted hard drives and firewalls, and access to central resources and third-party services are always encrypted and protected with two-factor authentication, using a combination of passwords, time-based one time passwords on dedicated devices, and cryptographic private keys. Our offices are secured with alarms and a combination of electronic and mechanical locks, with access logs.
We use a number of consultants and freelancers in our daily operations. All consultants are carefully vetted and are required to sign a work agreement with Moment Team AS before beginning work. The agreement outlines the confidentiality of the data the consultant will have access to while working at Moment.
Access for consultants is carefully monitored, and we use a “least-privileged” access policy, meaning that consultants only have access to systems they strictly need to perform their day to day work.
If a security issue or data leak is discovered, we will notify the affected users and relevant authorities as soon as possible, in line with current regulations. We also publish live reports of operational issues on our .
ProjectHelp infrastructure is handled separately and this Security and Compliance overview does not cover it. For further details, please reach out to our ProjectHelp support - see for details.
Moment uses the same security mechanisms for data transfer as standard online banking and is being developed with regard to privacy legislation with a strong focus on security. This, together with good routines for operation and production setting, ensures a very stable system.
We very rarely experience downtime or problems. The system runs on a set of servers that share the load between them. Thus, individual servers can be taken out for updating without downtime. This also allows for flexible scaling of capacity. The system provides low latency and good response times under high load from many concurrent users.
If you have any questions or concerns about anything on this page, please don't hesitate to contact us at .
Data security: All data is encrypted at rest with the industry-standard AES cipher, using regularly rotated encryption keys that are integrated with cryptographically authenticated service identities and automatically deleted on service termination. All storage is also encrypted at the hardware level, and decommissioned disks are securely erased with two independent verification processes and physically destroyed on-premise.
Employee security: All Amazon employees undergo relevant background checks and security training, and must sign confidentiality agreements. Only a small group of employees have access to customer data, on a least-privilege need-to-know basis, with all access monitored by dedicated audit teams. Physical access to data centers is kept down to a bare minimum. All employee access is authenticated, authorized, and encrypted using a 2FA based security model.