Security Policy

Effective Date: 08/01/2025
Company: ToBeShore AB, Sweden
Product: DayzOff, Leave Management System
Contact: support@tobeshore.freshdesk.com

1. Introduction

At ToBeShore AB, we take the protection of customer data seriously. Our Leave Management System, hosted on Microsoft Azure, is built with industry-leading security practices and infrastructure to ensure availability, confidentiality, and integrity of data for users worldwide.

2. Infrastructure Security

Our platform is built using secure and scalable components of Microsoft Azure, including:

• Modern microservice architecture
• DBs with strict access controls
• Microsoft Entra ID authentication
• API Gateway to publish, secure, monitor and scale APIs 
• Web Application Firewall

Azure infrastructure is compliant with ISO/IEC 27001, SOC 2, GDPR, and other leading security standards.

3. API Security

We use API Gateway to ensure that all APIs exposed to clients are:

• Authenticated using Azure AD or key-based access
• Rate-limited and throttled to prevent abuse or overload
• Monitored and logged to detect unusual patterns or security events
• Protected against injection attacks, unauthorized access, and misuse
• Version-controlled to ensure safe updates and backward compatibility

API Gateway acts as a secure gateway between external users and internal services.

4. Multi-Tenant Isolation

Our application uses a multi-tenant architecture:

• Each organization’s data is logically and securely isolated.

• Cross-tenant access is prevented by design.

• Tenant-specific API tokens and scoped permissions are enforced.

5. Authentication and Access Control

• Secure OAuth2-based authentication using Azure Active Directory (Azure AD)

• Role-Based Access Control (RBAC) within the app (Admin, Employee, ToBeShore Support)

• Admin access is strictly limited and monitored

• User sessions are encrypted and managed with expiration policies

6. Data Encryption

All data is encrypted using industry-standard protocols:

• In Transit: TLS 1.2+ (HTTPS) for all web and API communications
• Sensitive configuration values are securely stored

7. Monitoring, Logging, and Incident Response

• Monitoring, Application Insights, and analytics are used for real-time monitoring.
• Security events and access logs are retained and analyzed for threats.
• Any data breach will be reported within 72 hours in accordance with GDPR Article 33.

8. Data Backup and Disaster Recovery

• Automated daily backups for databases and configurations.
• Backups are encrypted and stored in redundant storage.
• Disaster recovery procedures are tested regularly.

9. Secure Software Development

• Continuous Integration/Continuous Deployment (CI/CD) pipelines with security gates

• Regular vulnerability scanning of containers and dependencies

• Manual  and automated code reviews for security-critical changes

• Separate environments for development, staging, and production

10. Internal Security Controls

• Access to production systems is restricted to authorized persons only

• All ToBeShore staff undergo security awareness training

• Zero-trust access model enforced across internal tools

11. Responsible Disclosure

We welcome reports of potential vulnerabilities. Please report responsibly to support@tobeshore.freshdesk.com and we will investigate immediately.

12. Updates to This Policy

This Security Policy may be updated as our platform evolves. Major changes will be communicated via email or through the system.

13. Contact

ToBeShore AB, Sweden
📧 support@tobeshore.freshdesk.com