Team Management
Our product supports team management capabilities to help administrators manage user needs and permissions. Please see our Help Center article on permissions for details.
SSO Support
We provide single sign-on via Google for companies using Google Workspace or individuals using Gmail addresses.
For plans supporting SAML SSO, Okta and Microsoft Entra ID are also available.
Documentation to set it up can be found here.
Role-Based Access Control
We have different access permissions inside the account to manage access. Please see our Help Center article on permissions for details.
Multi-Factor Authentication
We support Two-factor authentication.
Integrations
Harvest works with the most popular tools so your team can track time effortlessly. All integrations can be found here.
Data Security
We take precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.
We follow generally accepted industry standards to protect your information, both during transmission and once we receive it.
Audit Logging
Our product logs all user activity to enable easy auditing of usage patterns. Open sessions and identity options can be checked in the Security section of Harvest ID.
Physical Security
Harvest outsources hosting functions to third parties and all our workers are fully remote. All hosting services are provided by GCP and AWS and they are responsible for the physical security policies of their hosting environments. Please see the following links for more information:
- GCP: GCP Security, GPC Whitepaper.
- AWS: AWS Artifact, AWS Compliance FAQ
Geographic Location of Data
All our servers are located in the United States.
Encryption-in-transit
All data is encrypted in transit, and all connections use TLS 1.2/1.3
Encryption-at-rest
We implement multiple levels of encryption for data at rest. Passwords are stored hashed and salted using bcrypt with a work function of 12. Backups are encrypted at rest using the AES-256 cipher. Attachments and other file assets are stored encrypted at rest on Amazon S3 and Google Cloud Storage. Disks on the cloud providers are encrypted, and we have an additional layer of column-level encryption in place for critical fields in our database.
Data Erasure
Upon deletion we delete customer data immediately from our databases. Database backups are retained for 180 days and application logs (for assisting Harvest Support cases) are retained for 90 days. Customers’ activity logs are stored for 1 year.
Backups Enabled
Backups occur multiple times a day and are replicated to, at least, 2 physical data centers.
Access Monitoring
Access to servers and customer data is strictly controlled and follows the principle of least privilege. We keep an immutable audit trail for support-related data access.
Web Application Firewall
Harvest utilizes a Cloudflare Web Application Firewall (WAF) to protect our products.
Vulnerability & Patch Management
Security patches for third-party libraries are deployed as soon as they become available. Operating systems auto-apply all security patches as they become available.
Vulnerability scanning is performed as part of our continuous integration process with static analysis.
Software Development Lifecycle
At Harvest, we use a continuous integration system and development process where everything is reviewed and deployed from a secure and monitored version control system. The source code repositories are scanned for security issues via our integrated static analysis tooling.
We constantly monitor security notifications around all third-party software libraries, and if identified, we immediately apply any relevant security patches as soon as they are released. Our engineers work alongside the product teams to ensure that all of Harvest’s code and infrastructure is secure.
Secure Development Training
Engineers must complete engineering-specific training as part of their onboarding when they join the company. In addition, our Security Engineering team conducts awareness campaigns to educate software developers on best coding practices. The security team reviews sensitive code before it is released to production.
Responsible Disclosure
We encourage all security reports to be made via email with a complete description of the issue to security@getharvest.com including code samples and as much detail as possible.
System Hardening
New servers deployed to production are hardened by disabling unneeded and potentially insecure services and applying Harvest custom configuration settings to each server before use.
Credential Management
We store application secrets in Google Secret Manager. User credentials are stored hashed and salted using bcrypt with a work function of 12.
Code Analysis
Before production deployment, we conduct manual code reviews, automated testing, and static code analysis to catch issues and prevent misconfigurations. We use standard and well known tools to adhere to code standards and identify security vulnerabilities.
Bot Detection
Harvest applications are protected via a web application firewall (WAF) with bot detection and prevention capabilities.
Privacy Policy
Cookies
Our website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Password Security
Our internal systems and tools require the use of SSO with MFA, and we monitor access and usage. We rotate passwords, keys, and secrets every time someone leaves the company.
For external services, we require the usage of a password manager to generate passwords with long, secure, random strings. We periodically review that everyone has enabled 2FA in the services we use and that accounts in place in all services are correct and essential.
Logging
All of our servers and compute instances are monitored in order to provide a comprehensive view of the security state of corporate and application infrastructure. Harvest collects, stores, and indexes production logs for analysis. Logs are protected from modification.
Data Access
To minimize the risk of data exposure, Harvest adheres to the principle of least privilege. People working at Harvest are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities.
Status Monitoring
Current and historical uptime data can be found at https://www.harveststatus.com/
Separate Production Environment
We maintain separate and distinct production, staging, and development environments. No Service Data is used in our development or test environments.
Cloud Service Providers
Our applications and data are hosted on Google Cloud Platform and Amazon Web Services.
Endpoint Detection & Response
Harvest’s internal computer security policy requires all employees to comply with our standards for security. These standards require all workstations to run the latest operating system version with the latest security patches and follow updated security guidelines that are reviewed every six months. We enforce the policy via our compliance tool.
Disk Encryption
Harvest’s internal computer security policy requires all employees to comply with our standards for security, which includes disk encryption in all work devices.
Zero Trust
We use Google Identity-Aware Proxy that implements a zero-trust access model for access to all of our internal web applications.
Wireless Security
We are a remote company. We don’t own wireless networks.
Internal SSO
Our internal systems and tools require the use of SSO with MFA, and we monitor access and usage. We rotate passwords, keys, and secrets every time someone leaves the company. For external services, we require the usage of a password manager to generate passwords with long, secure, random strings. We periodically review that everyone has enabled 2FA in the services we use and that accounts in place in all services are correct and essential.
Incident Response
We maintain a security incident response plan to provide a framework to ensure that potential computer security incidents are managed in an effective and consistent manner. This document is reviewed at least annually.
Employee Training
We have a security training procedures program that all employees need to follow when they join the company. We continuously update our internal documentation and staff training material.
Email Protection
Our email providers offer phishing detection capabilities and advanced spam protection.