TimeLog takes security seriously and want to make clear how we protect our middleware (FinancialHost) for enabling financial integrations with on-premise ERP solutions.
Communication between TimeLog and the FinancialHost is secured in various ways to keep data safe.
Data transfer from the FinancialHost to TimeLog is done over SSL (for encryption) and utilizes a user specific time limited token for accessing resources through a WCF API endpoint.
Data transfer from TimeLog to the FinancialHost can optionally be done over SSL (for encryption). All requests to the WCF API endpoint requires a white listed IP, a unique and not used previously transaction ID as well as a MD5 hash of the entire content. This makes man-in-the-middle attacks extremely difficult. The same request cannot be used twice and tampering data cannot be done without the MD5 secret.
Communication between the financial system and the FinancialHost is done using a REST protocol. All requests to the REST API endpoint requires a white listed IP and a valid MD5 hash of the entire content. The REST service is supposed be internal access only or in most cases just localhost, so locked down to those IPs.
Finally, the fields and low level tests of WCF and REST API endpoints will only available on the FinancialHost website when "DebugMode" is turned on.