Security at Timely

Skip to FAQs
Protecting your company’s data is a foundational obligation at Timely. We operate with a security-first mindset across our infrastructure, operations, and product development.

Timely is ISO 27001:2022 certified, meaning our information security management system has been independently audited against the most widely recognised global standard for data security. This certification builds on the strong internal controls, risk mitigation strategies, and technical safeguards we’ve had in place for years.  

This page outlines how we manage data security across every level of our platform - from the way your data is stored and encrypted, to how we detect and respond to threats.

ISO 27001 certification

Timely’s ISO 27001:2022 certification confirms that our information security management system (ISMS) is aligned with globally recognised best practice. The certification process involves a full audit by an accredited external body, assessing how we manage information security risks across systems, infrastructure, policies and personnel.

Rather than being a one-off event, ISO 27001 is an ongoing operational commitment. We maintain compliance through regular internal reviews, annual risk assessments, and independent surveillance audits. This ensures our controls remain relevant and effective as the business scales and the threat landscape evolves.

The certification includes (but is not limited to) the following areas:

  • Risk assessment and treatment processes
  • Asset management and data classification 
  • Access control and identity management
  • Supplier and vendor security controls
  • Incident management and business continuity
  • Information security policy enforcement and auditability

Infrastructure and data hosting

Timely is built on Amazon Web Services (AWS), using EU-based data centres with high levels of physical and environmental protection. AWS is compliant with ISO 27001 and other global standards, and provides the infrastructure foundations for secure hosting, scalability and availability.   

We use multi-zone redundancy and automated failover to minimise disruption and ensure data availability. All services are containerised and managed via infrastructure-as-code, giving us full control over configuration and change management.  

Our infrastructure includes:

  • EU-based data residency (your data stays in-region)
  • Isolated environments per customer account
  • Automated encrypted backups with regular integrity checks
  • DDoS mitigation and continuous traffic monitoring
  • Strict controls over infrastructure access via VPN and MFA

Data encryption

All customer data is encrypted using modern, industry-standard cryptographic methods. Encryption is applied both in transit and at rest, ensuring data cannot be intercepted or read without authorisation.

  • Data in transit: All traffic between client devices and Timely services is encrypted using TLS 1.2 or higher. This applies to web traffic, API calls, and third-party integrations.
  • Data at rest: All stored data, including databases and file storage, is encrypted using AES-256, one of the most secure encryption standards currently available.
  • Encryption key management: Timely uses AWS Key Management Service (KMS) to manage encryption keys securely, with automated key rotation, granular access policies and full audit logging.

Encryption is applied consistently across all parts of the platform. No customer data is stored unencrypted at any point, and we maintain a strict separation between production and non-production environments.

Access controls and identity management

Access to customer data is strictly controlled using a combination of role-based access controls (RBAC), multi-factor authentication (MFA), and least-privilege principles. Only authorised personnel with a clear business need can access production systems, and all access is time-bound and logged.   

Internally, access is managed through identity providers and enforced via single sign-on (SSO), with centralised audit logging. All employees undergo security awareness training and must follow Timely’s Acceptable Use and Access Control policies.  

Key controls include:

  • Granular RBAC across infrastructure and application layers
  • Mandatory MFA for all administrative access
  • Audit logging of all access and configuration changes
  • Zero standing access to production systems
  • Regular access reviews and revocation of stale permissions

Vulnerability management

We take a proactive approach to identifying and mitigating security vulnerabilities. Our vulnerability management program combines automated scanning, third-party testing, and manual reviews to detect risks early and respond quickly.   

Security patches are prioritised based on severity and applied promptly in accordance with internal SLAs. We track all vulnerabilities centrally and monitor remediation progress until resolution is confirmed. High-severity issues are escalated to engineering leadership.

Processes include:

  • Weekly vulnerability scanning of infrastructure and dependencies
  • Regular third-party penetration testing
  • Secure dependency management and patch automation
  • Centralised tracking of known vulnerabilities via issue management systems
  • CVSS-based risk scoring and remediation timelines

Secure development practices

Security is embedded into every stage of our software development lifecycle. Engineers follow secure coding guidelines and use approved tooling to detect potential risks before code is merged. All changes undergo peer review, and critical paths are subject to additional scrutiny.

We use static code analysis, dependency checking, and container security tools to prevent vulnerabilities from entering the codebase. Developers are trained in secure design patterns and regularly updated on emerging threats and platform risks.

  Key development practices:

  • Peer-reviewed code with dedicated security checklists
  • Static analysis and dependency scanning in CI pipelines
  • Security-focused test coverage (e.g. input validation, auth checks)
  • Continuous integration with isolated test environments
  • Developer training on OWASP Top 10 and secure engineering principles

Incident response and monitoring

Timely maintains a structured incident response plan covering detection, triage, containment, resolution, and post-incident analysis. This plan is tested regularly through simulations and tabletop exercises.

 Security incidents are tracked centrally, with escalation criteria based on severity and potential impact. Customers are notified promptly in the event of any breach that affects their data, and post-incident reviews are conducted to improve future detection and response.

Our monitoring stack covers:

  • Real-time infrastructure monitoring and alerting
  • Security information and event management (SIEM)
  • Behavioural analytics to detect anomalies
  • Incident triage workflows and escalation protocols
  • 24/7 alert coverage with on-call engineering rotation

Customer data ownership and control

You retain full ownership and control over your data in Timely. We only process your data to provide and improve the service, and we never sell, share or use it for advertising.
 
Customers can access, export or delete their data at any time through the Timely interface. Our Data Processing Agreement (DPA) clearly sets out our obligations under GDPR and other applicable privacy laws.

You can review these documents at any time:

  • Privacy Policy
  • Data Processing Agreement
  • Privacy page

If you have a data request or question, our support and compliance teams are available to help. 

Ongoing compliance and governance 

Information security is not static. Timely operates a formal governance model for information security, overseen by senior leadership and subject to regular review.

We conduct:

  • Quarterly risk assessments and internal audits
  • Annual ISO 27001 surveillance audits
  • Mandatory employee security training and onboarding
  • Ongoing policy reviews and procedural updates

Our governance structure ensures that security remains aligned with our business priorities and customer needs as we grow.

3 ovals, outline white, no fill color, overlapping.

Security FAQs

Skip to the top

Certifications and compliance

01. What ISO certifications does Timely currently hold?

Timely is certified under ISO 27001:2022. This confirms that our information security management system (ISMS) has been independently audited and meets one of the most recognised international standards for managing information security. We don’t currently hold other ISO certifications beyond this.

02. Is Timely ISO 27001 certified, or is it in the process of obtaining certification?

Timely is fully ISO 27001:2022 certified. This isn’t a future goal - it’s already in place. We went through a comprehensive audit process conducted by an independent, accredited body and maintain ongoing compliance through regular internal checks and annual surveillance audits.

03. When is Timely’s next ISO 27001 audit scheduled?

Our ISO 27001 certification is subject to annual surveillance audits, with a full recertification audit every three years. The next surveillance audit is scheduled within 12 months of the last audit date, as per ISO requirements.

04. How often does Timely need to renew its ISO 27001 certification?

A full ISO 27001 recertification is required every three years. In the meantime, we complete annual surveillance audits and perform continuous internal monitoring to make sure our security controls remain effective and up to date.

05. How does GDPR compliance relate to Timely’s ISO 27001 certification?

ISO 27001 helps support our GDPR compliance by enforcing structured controls around how we handle personal data. While ISO 27001 and GDPR are separate, they align in key areas like data protection, access management, and breach notification. GDPR obligations are handled through our Data Processing Agreement, privacy documentation, and product design.

06. What is the difference between ISO 27001 and SOC 2 certification requirements?

ISO 27001 is an international standard focused on information security management systems. It’s broader in scope and applies globally. SOC 2 is a U.S.-centric framework focused on trust principles like security, availability, and confidentiality. SOC 2 is typically used for vendor assessments in the U.S. Timely has prioritised ISO 27001 to align with our customer base and geographic focus, but many of the underlying controls overlap.

07. Why isn’t Timely HIPAA compliant, and what would be required to achieve this certification?

Timely isn’t currently HIPAA compliant. Our product is not designed for storing or processing protected health information (PHI) under U.S. healthcare laws. HIPAA compliance would require structural changes to how data is handled, stored, and accessed - including audit trails, breach notifications, and Business Associate Agreements. This isn’t on our current roadmap due to our focus on other customer segments.

I’m missing features that were available during my trial. What can I do?

During the free trial, you can access all of Timely's features. However, they may not be included in the final plan you choose to subscribe to.  

If you realize you're missing something crucial after subscribing, reach out to our Success team who can explain our plans and any in-app "upgrade" messages you may have encountered.

Infrastructure and data storage

01. What security monitoring does Timely implement beyond what AWS provides?

Timely layers additional controls and monitoring on top of AWS. This includes vulnerability scanning, SIEM-based threat detection, behavioural analytics, and strict access policies. All infrastructure access is restricted via VPN and MFA, and our environments are isolated per customer. We actively track and respond to suspicious behaviour and performance anomalies in real-time.

02. What encryption standards does Timely use for data in transit and at rest?

All customer data is encrypted using industry-standard methods:

  • In transit: TLS 1.2 or higher for all communications (web, API, integrations)
  • At rest: AES-256 encryption for databases and file storage

These methods prevent unauthorised access and protect against interception.

03. Does Timely use 256-bit or 512-bit encryption for sensitive data?

Timely uses AES-256, which is widely regarded as one of the most secure encryption standards available. AES-512 is not commonly used in practice and isn’t supported by most infrastructure providers or browsers. AES-256 provides a strong balance of security and performance.

04. Where is Timely’s data stored and what security certifications apply to those data centers?

All Timely data is hosted in EU-based AWS data centres. These facilities meet strict global security standards, including ISO 27001, SOC 1, SOC 2, and SOC 3. Physical access is tightly controlled, and environments are protected against natural disasters, power failures, and other physical risks.

05. What information can Timely provide about its sub-processors and where data is stored?

You can review our current list of sub-processors and data storage locations in our Data Processing Agreement. We’re transparent about who we work with, where your data lives, and what role each sub-processor plays in delivering the service.

I’m missing features that were available during my trial. What can I do?

During the free trial, you can access all of Timely's features. However, they may not be included in the final plan you choose to subscribe to.  

If you realize you're missing something crucial after subscribing, reach out to our Success team who can explain our plans and any in-app "upgrade" messages you may have encountered.

Threat detection and response

01. Does Timely conduct regular penetration testing by third-party agencies?

Yes. We run regular third-party penetration tests in addition to our internal vulnerability scanning. These tests simulate real-world attack scenarios and help identify gaps in our defences. Any findings are tracked, prioritised, and resolved based on risk severity.

02. What security incident reporting processes does Timely have in place?

We follow a structured incident response plan that covers detection, triage, containment, resolution, and review. This plan is regularly tested. If there’s ever an incident affecting your data, you’ll be notified promptly and given updates on impact, resolution steps, and any follow-up actions taken.

03. How does Timely handle security incidents like stolen identity, phishing, or unethical activities?

Incidents like phishing or identity misuse are escalated quickly within our engineering and compliance teams. We isolate affected accounts, review logs, and take appropriate actions to contain and address the issue. Security awareness training is mandatory for all staff to reduce internal risk and social engineering threats.

I’m missing features that were available during my trial. What can I do?

During the free trial, you can access all of Timely's features. However, they may not be included in the final plan you choose to subscribe to.  

If you realize you're missing something crucial after subscribing, reach out to our Success team who can explain our plans and any in-app "upgrade" messages you may have encountered.

Security governance and documentation

01. What security documentation can Timely provide for compliance reviews?

We can provide our ISO 27001 certificate, summary audit findings, our Data Processing Agreement, and a completed vendor security questionnaire if required. We also support detailed compliance reviews for customers with more complex needs.

02. Which major organizations have vetted and approved Timely’s security measures?

We’re trusted by hundreds of professional services companies globally, including enterprise organisations with rigorous procurement and security review processes. While we don’t name specific customers without consent, our security program has passed vendor reviews across consulting, SaaS, and agency sectors.

03. How does Timely handle vendor compliance questionnaires for organizations undergoing SOC 2 certification?

Our team can complete your vendor questionnaire and supply supporting documentation aligned with SOC 2 controls. While we aren’t SOC 2 certified ourselves, we align with many of the same security principles under our ISO 27001 framework.

I’m missing features that were available during my trial. What can I do?

During the free trial, you can access all of Timely's features. However, they may not be included in the final plan you choose to subscribe to.  

If you realize you're missing something crucial after subscribing, reach out to our Success team who can explain our plans and any in-app "upgrade" messages you may have encountered.

Platform access and integrations

01. What security measures are in place for Timely’s third-party integrations?

All integrations are secured via encrypted APIs and follow least-privilege access principles. We audit third-party tools during onboarding and maintain ongoing reviews. Sensitive data shared with integrations is controlled and limited to only what’s required for functionality.

02. How does Timely manage access control and authentication for its systems?

Access is tightly controlled using role-based access control (RBAC), MFA, and strict internal policies. No one has standing access to production systems. All access is time-bound, logged, and reviewed regularly. Internally, we use SSO for employee authentication and enforce minimum security standards across all tools and platforms.

I’m missing features that were available during my trial. What can I do?

During the free trial, you can access all of Timely's features. However, they may not be included in the final plan you choose to subscribe to.  

If you realize you're missing something crucial after subscribing, reach out to our Success team who can explain our plans and any in-app "upgrade" messages you may have encountered.