Security Practices

1. Credential Encryption

Your ConnectWise API credentials are encrypted at rest using AES-256-GCM, an authenticated encryption standard used across the industry for protecting sensitive data. Credentials are encrypted before they ever reach the database — plaintext values are never written to disk or persisted in any data store.

2. Data Isolation

CW Timeris a multi-tenant application with strict organization-scoped access controls. Each organization's data is logically isolated at the database level. Users can only access time entries, credentials, and configuration belonging to their own organization. Cross-tenant data access is not possible through the application.

3. Transport Security

All communication between your browser and CW Timer is encrypted using HTTPS with TLS. API calls from CW Timer to your ConnectWise Manage instance are made exclusively over HTTPS. No data is transmitted in plaintext at any point in the request lifecycle.

4. Access Controls

CW Timer enforces role-based access control (RBAC) with three distinct roles:

• Admin — full access including ConnectWise credential management, user management, and billing
• Service Manager — access to team time entries and service board management, but no credential or billing access
• Time Logger — access limited to their own timers and time entries

Only administrators can view, update, or delete ConnectWise API credentials. Platform operations staff at CW Timer, LLC cannot access client credentials — the encryption architecture ensures that credentials are only decrypted at runtime when making authorized API calls on your behalf.

5. Infrastructure

CW Timer is hosted on Vercel, which provides built-in DDoS protection, a global edge network, and automatic TLS certificate management. Our database is hosted on Neon PostgreSQL, which is SOC 2 Type II compliant and encrypts all data at rest and in transit.

Both Vercel and Neon maintain their own security programs, undergo regular audits, and publish their security practices publicly.

6. Credential Validation

When you provide ConnectWise API credentials, CW Timer validates them against the ConnectWise API before storing them. If validation fails, the credentials are rejected and never persisted. This ensures that only working, authorized credentials are stored in the system.

7. What We Don't Do

Security is as much about what we avoid as what we implement. CW Timer does not:

• Store credentials in plaintext — all credentials are encrypted with AES-256-GCM before storage
• Log credentials — API keys and secrets are never written to application logs
• Allow platform staff access to your keys — our encryption architecture prevents CW Timer, LLC personnel from reading your ConnectWise credentials
• Share your data with third parties except as required for service operation — the only third parties that process data are Stripe (payments), Vercel (hosting), and Neon (database)

8. Your Rights

You are in control of your credentials and data at all times:

• Update credentials — you can rotate or replace your ConnectWise API credentials at any time from your admin dashboard
• Delete credentials — you can remove your ConnectWise API credentials at any time, immediately severing the integration
• Delete your account — account deletion removes all stored data, including encrypted credentials, time entries, and account information
• 30-day window — all data is permanently deleted within 30 days of account closure, except where retention is required by law

For more details on data handling, see our Privacy Policy.

9. Contact

If you have security concerns, want to report a vulnerability, or have questions about our security practices, please contact us:

• Security: security@cwtimer.com
• Contact page: cwtimer.com/contact