Security Addendum

Security for workforce data, records, and trust

ZoikoTime is designed with layered security, governed access, audit-ready records, data-protection controls, and enterprise review support for organizations that rely on workforce intelligence.

ZoikoTime helps organizations manage sensitive workforce information — time records, activity signals, reports, screenshots where enabled, user roles, organizational settings, and evidence records. Security is built into how the platform manages access, data, auditability, and operational controls.

ZoikoTime is a platform of Zoiko Tech Inc., a technology subsidiary of Zoiko Group Inc.

Security at a glance

At a glance

Role-based access control
Encryption & data protection
Audit logs & evidence integrity
Administrative controls
Data retention governance
Legal hold support
Secure product practices
Enterprise review support

Overview

Security built around workforce evidence

ZoikoTime protects the workforce records and operational data customers use
for management, reporting, billing and payroll support, compliance review,
dispute handling, and internal governance.

Users should only access the data, records, settings, reports, and workflows appropriate to their role, permissions, organization, and configuration.

Customer data is protected through secure transmission, controlled storage, data-handling safeguards, and administrative controls.

Important actions are logged to support accountability, investigation, evidence review, and administrative oversight.

Administrators control settings for users, roles, policies, data access, exports, screenshots, retention, and workspace governance where supported.

Platform operations include monitoring, controlled changes, incident handling, and security review appropriate for a commercial SaaS environment.

Enterprise customers have a clear route to request available security information through sales, legal, and procurement workflows.

What We Protect

Data ZoikoTime protects

Categories of customer and workforce-related data may vary by plan,
configuration, integrations, jurisdiction, enabled features, and user activity.

Data category	Examples	Security consideration
Account data	Names, emails, roles, user profiles	Identity, account administration, access control
Organization data	Company profile, departments, teams, policies, settings	Tenant separation, configuration governance
Time records	Clock-in/out, breaks, timesheets, approvals	Integrity, auditability, export controls
Activity signals	App/URL activity, idle time, work-session data where enabled	Policy-based access, transparency, retention controls
Screenshots	Screenshots where enabled by customer policy	Redaction, access control, storage, retention
Reports	Workforce analytics, productivity, attendance reports	Permissioning, export governance, audit logs
Evidence records	Evidence packages, review records, exception history	Integrity, legal hold, chain-of-custody support
Billing data	Plan, subscription, invoice, account details	Restricted access, payment-provider boundaries
Integration data	Data exchanged with payroll, HR, PM, identity, billing systems	API security, permissions, integration controls

The exact data processed depends on customer configuration, enabled
modules, user roles, plan, integrations, and applicable agreements.

Identity

Access control and identity

ZoikoTime supports role-based access, administrative controls, and account
safeguards to help customers manage who can view, configure, export, or act
on sensitive workforce information.

Administrators, managers, workers, finance, HR, legal, and support users can be assigned appropriate permissions.

Customer administrators control user invitations, roles, departments, policies, report access, and configuration settings.

Workers have appropriate visibility into their own records, transparency notices, and support routes.

Enterprise plans may support SSO, SAML, SCIM, or related identity-management capabilities where available.

Secure authentication flows, session controls, password policies, and administrative account management.

Access follows least-privilege principles so users and operators only receive access appropriate to their role and purpose.

Data Protection

Encryption and data protection

Controls may vary by plan, deployment model, product feature, integration, and
customer agreement.

Secure transmission methods protect data moving between users, browsers, mobile apps, APIs, integrations, and platform services.

Stored customer data is protected using appropriate encryption or equivalent safeguards where supported by the architecture.

Customer environments and data are logically separated to help prevent unauthorized cross-organization access.

APIs and integrations use appropriate authentication, authorization, rate controls, logging, and validation.

Data is collected and processed in ways tied to product purpose, configuration, workforce governance, and settings.

Where enabled, ZoikoTime supports redaction, access controls, transparency, retention settings, and policy-based governance.

Evidence

Auditability, retention, and evidence integrity

Security supports more than account protection — it supports trustworthy
records, accountability, evidence review, retention governance, and legal
defensibility.

Important actions are logged to support accountability, administrative review, security investigation, and evidence traceability.

Time records, approvals, exceptions, reports, and evidence packages are handled to support traceability and reduce unauthorized alteration.

Where supported, ZoikoTime helps customers compile workforce evidence for review, billing support, dispute handling, or legal processes.

Legal hold workflows help preserve relevant records when customers need to prevent deletion due to investigation, dispute, audit, or regulatory review.

Retention may vary by plan, settings, jurisdiction, module, legal hold status, and customer agreement.

Deletion, export, restriction, and preservation are governed by role permissions, configuration, settings, and applicable terms.

Operations

Platform security and monitoring

Secure product development, controlled operations, monitoring, vulnerability
management, and incident response appropriate for an enterprise SaaS
platform.

Secure development practices, code review, testing, dependency review, and controlled release processes.

Security issues are assessed, prioritized, remediated, and tracked through product and engineering workflows.

Operational monitoring supports platform reliability, security review, performance visibility, and issue escalation.

Processes for identifying, investigating, escalating, and communicating security or availability incidents where applicable.

Backup and recovery practices support data availability, resilience, and operational continuity.

Vendor use for infrastructure, payment, identity, analytics, or support is reviewed and governed by internal risk processes.

Shared Responsibility

Customer responsibilities

Security is strongest when ZoikoTime and its customers work together.

Customer responsibility	Why it matters
Assign appropriate user roles	Prevents excessive access to workforce records
Remove inactive users promptly	Reduces unnecessary account exposure
Configure policies carefully	Aligns data collection and reporting with requirements
Review export permissions	Protects sensitive reports and evidence packages
Use strong authentication	Reduces account compromise risk
Train administrators & managers	Improves correct platform use and governance
Review screenshot settings	Supports transparency, privacy, and appropriate access
Manage integrations carefully	Protects data exchanged with HR, payroll, PM, identity systems
Preserve records when needed	Supports audits, disputes, investigations, legal hold

Enterprise Review

Security review for procurement

Enterprise customers may require additional security information for
procurement, vendor risk review, legal review, privacy review, or implementation
planning.

ZoikoTime may support security questionnaires for qualified enterprise opportunities.

Available security, privacy, data-protection, and product-governance documentation may be provided through appropriate channels.

Provisions may sit within an order form, Master Subscription Agreement, Data Processing Addendum, or related documents.

Support for procurement teams reviewing access control, data handling, retention, legal hold, incident response, and integrations.

Questions

Security Addendum FAQs

What is the ZoikoTime Security Addendum?

It summarizes ZoikoTime's approach to protecting customer data, workforce records, access controls, audit logs, evidence packages, retention settings, and enterprise security review.

Does ZoikoTime encrypt customer data?

ZoikoTime is designed to protect data in transit and at rest using appropriate safeguards. Specific controls may vary by product area, configuration, plan, deployment model, and customer agreement.

Does ZoikoTime support role-based access control?

Yes. ZoikoTime supports role-based access so customers can assign appropriate permissions across administrators, managers, workers, finance, HR, legal reviewers, and other roles.

Does ZoikoTime keep audit logs?

ZoikoTime maintains audit logs for important actions to support accountability, investigation, evidence review, administrative oversight, and governance.

How does ZoikoTime protect screenshots?

Where screenshots are enabled, ZoikoTime supports role-based access, redaction, transparency, retention settings, and policy-based governance.

Can enterprise customers request security documentation?

Enterprise customers may request available security documentation through sales and procurement. Some materials may require confidentiality or appropriate review procedures.

Does ZoikoTime support legal hold?

ZoikoTime may support legal hold workflows that help preserve relevant records for investigations, disputes, audits, litigation, or regulatory review, depending on plan, configuration, and agreement.