Timeback Solutions. ← All policies
Policies

Security

Updated May 30, 2026

Small studio, small surface area, careful defaults. Here's how we actually run things.

Workflow isolation

Your workflows run in our managed automation platform, organized into a dedicated project for your business, tagged for filtering, and using credentials scoped to your services only. Execution logs are recorded per workflow so we know exactly what ran on whose behalf. Where an engagement includes a dedicated AI agent, that agent runs on its own separate, hardened server provisioned for your business alone — isolated from our other clients and from our internal operations. When an engagement ends, we delete your project, revoke any credentials we held, remove your data from active systems, and — for a dedicated agent — decommission its server.

Hosting

The marketing site runs on a managed edge platform with managed TLS and bot protection. Client automations run on a hardened server in a U.S. data center with daily snapshots. When we operate an AI agent for you, it runs on its own dedicated, hardened U.S. server — separate from other clients and from our own systems — with daily snapshots and the same access controls. Administrative access is key-based with direct privileged login disabled, and the admin editor sits behind an identity-aware access layer — so the login page isn't even publicly reachable; only authenticated Timeback team members can see it.

Credentials

Every credential — ours and any you share with us — is stored in an encrypted, dedicated secrets manager. Two-factor authentication is on for everything that supports it. Client credentials are scoped to the minimum permissions needed, and when an engagement ends we revoke access and remove them from our systems.

Backups

Daily server snapshots, plus version-controlled workflow definitions in private repositories as an independent recovery path.

Monitoring

Workflows are individually logged and scheduled health checks run across the instance daily. Failures alert us right away. If something does go wrong, we follow a written incident response routine: contain, assess, notify, document.

What we don't claim

We're not SOC 2 or ISO 27001 certified — we don't pretend to be. We'll add formal audits when the size of the business warrants them.

Found a vulnerability?

Email us with the details and we'll acknowledge within two business days. We don't run a paid bug bounty yet, but responsible disclosure is genuinely appreciated.

Contact

Timeback Solutions LLC — Minnesota, USA.