Skip to content

Security and privacy

All data stored on Harvest and Forecast is safe, secure, and reliable. For us, it’s the only way to do business.

Security whitepaper Self-assessment questionnaire

1 – We keep your data safe

All Harvest and Forecast accounts use SSL-encrypted connections by default—the same level of security used by online banks. You never send or receive sensitive information in plain-text. Additionally, industry-standard physical and remote security is administered at datacenter facilities.

2 – Your privacy is our focus

Harvest cares deeply about protecting the privacy of the data entrusted to us by our customers. This is one of the core values at the heart of our business. Please review our Privacy Policy for specific details.

3 – How we stay reliable

Harvest maintains an average 99.9% uptime by leveraging Google Cloud’s multi-zone Kubernetes clusters and auto-scaling for many workloads. Backups are securely stored in Google Cloud Storage (multi-region) with replication to Amazon Web Services S3. Monitoring and alerting are managed through a robust stack. System status updates are reported in real time at HarvestStatus.com. HarvestStatus.com.

4 – Our data retention policy

We remain committed to safeguarding your data. Backups occur multiple times a day with storage redundancy across cloud regions. We keep database backups for 180 days, application logs for 90 days, and customer activity logs for 1 year.

5 – Our industry-standard practices

Harvest’s systems and processes adhere to industry best practices. Data is encrypted at rest and in transit. Access to servers and customer data is strictly controlled and we keep an immutable audit trail for support-related data access. Learn more about how Harvest ensures the security of your data in our  Security FAQ.

PCI-compliance

Harvest has a PCI-DSS Merchant Certificate, although we don’t store any payment information.

SOC 2

We rely on our server host’s audit, and they are SOC 2 certified.

Incident Report Plan

We maintain a security incident response plan to provide a framework to ensure that potential computer security incidents are managed in an effective and consistent manner. This document is reviewed at least annually.

6 – Our responsible security disclosure

Harvest maintains an active public program on HackerOne. We encourage all security reports to be made via our program on HackerOne. Alternatively, email a complete description of the issue to security@getharvest.com including code samples and as much detail as possible.

Start tracking time today

Join 70,000+ companies spending their time wisely with Harvest.

Try Harvest free
Free 30-day trial. No credit card required.