EU VAT Accounting

Today we made a change to the way in which we bill our EU customers. From now on we don't charge VAT to any EU based customer (outside of the UK), regardless of if they supply us with a VAT number.

VAT will only be applied to UK based customers.

This is to align with recent changes to Timetastic, both in the app and on the Terms and Conditions. The changes mean we no longer have to fall back to the consumer rules for supplying services to EU countries.

The changes that have given rise to this are:

  1. We have now included in the Terms and Conditions that Timetastic is a business only service - which it very much is, that includes charities and public bodies obviously.

  2. We have moved the field to set your country and VAT number to the billing page, as part of the payment process.

  3. Prior to implementation we undertook a review of our customer base to look at the likelihood of consumer based use - and found no real evidence. So these changes align VAT treatment with that evidence.

Hope that all makes sense, if you have any questions then please contact support.

Timetastic Updates

The full Timetastic changelog is available here.

But here's a summary of items since April:

6th April

Partly driven by GDPR we now include more of the detailed information on each booking in the details modal:


It was a big release, we also included more data in the downloadable excel reports, improved mobile dialogue boxes, and a handful of speed, security and accessibility improvements.

20th April

T&C's were updated to reflect the requirements of the new General Data Protection Regulation (GDPR).

27th April

A bug fix release, and improved some minor usability items on the mobile version.

3rd May

A big feature improvement here. All users can now easily see their outstanding requests and send a reminder to their boss for approval.


We have a detailed support article on this feature here

3rd May

Bug fixes on the signup form.

9th May

Some minor usability tweaks on the USERS page - mainly some tool tips to guide users and a row however so it's easier to scrutinise the information contained in the table.

11th May

More updates driven by GDPR work - this time including Sendgrid in our list of 3rd Party Apps - our own sub-processors.

3rd Party apps used by Timetastic

16th May

We had a few problem with password resets, some of the lesser used email clients were making a mess of the reset tokens - fixed.

Fixed a bug where profile photos weren't showing on the Pending Leave page.

Some minor usability improvements including guidance tooltips for new admin users.

17th May

Updated T&C's in regard to GDPR - to cover any special category data that may be caught from user input.

You can also now signup to receive a notification if we change sub-processors here

6th June

Given the recent Facebook data sharing allegations we looked at Timetastic and thought we could perhaps do better in this regard. You can now see what data will be shared with any of the integrations (Slack).


6th June

We made some security updates based on our latest internal vulnerability scan.

9th June

Fixed links in plan text emails and a few bugs fixed in relation to the Slack integration and changing approvers in the USERS screen.

A busy few months :)

Timetastic... faster and more reliable than ever.

Good news - our growth shows no sign of abating, we now have over 120K people using Timetastic. To keep Timetastic running smoothly for all these users, over the past few months the engineers have focused on on improving speed and reliability.

Some of you may be interested in the following two items that have given us us the greatest improvements:


We've started using Cloudflare with Timetastic. Without getting too technical, Cloudflare is like a swiss army knife of features designed to help your website and web app run faster and safer. It helps deliver content quicker, and provides additional protection if hackers try to run malicious code against your app.

Load balancing.

We are now running Timetastic from two datacentres - one near London, and one near Cardiff (both operated by Microsoft's Azure cloud). In the event that something bad was to happen at one data centre, you will automatically switch to the other one, keeping everything running at all times.

We've also done the same with our database - all data is replicated (or copied) to another "backup" database in a different data centre. If something bad was to happen to the main database, we switch to the backup, again keeping everything up and running.

What can be condensed into a short blog post was no meant feat though, a lot of work goes into ensuring Timetastic continues to run fast and stable, and we hope you feel the benefit.

GDPR - Actions to Date

Like many out there our first reaction to assessing GDPR was a huge sigh, pained expressions, and general discontent. All this red tape, more legals, what does it mean? Are we doing something wrong? What was wrong with the current legislation?

But as we draw closer to the final date for implementation - 25th May, as we move through the process and make the necessary changes - I admit, we've become fans, we like the changes. The focus on security and privacy builds confidence. Sure there are challenges to overcome, there's been plenty of head scratching, but the additional focus is driving a better Timetastic, for both us and our users.

So here's a run down of what's changed at Timetastic, driven by GDPR in the last few months:

Changes to date


We have always used hashing to store passwords, but the introduction of GDPR forced us to look further and so we introduced full encryption at rest for the databases using Transparent Data Encryption


We terminated our link to Gravatar. From the outset of Timetastic we linked to Gravatar to pull though user profile photos. We see no malice in their service and nothing to suggest ill intentions, but requesting an image related to a given email address does indeed share information with them. Our concern was that we never found any privacy policy or mention of GDPR in their terms, combine that with a) the actual function brought to Timetastic through this data sharing was fairly minimal and b) we already provide an alternative in that users can upload their own photo directly to Timetastic, we felt it cleaner to remove the integration.

Keep me logged in

We used to store a cookie automatically on users machines to keep them logged in. We switched that off and instead implemented a 'keep me logged in' option on the login form.


To increase security of Timetastic we've started using a service called Cloudflare. Cloudflare helps speed up Timetastic while at the same time helps protect against denial-of-service attacks, customer data compromise and abusive bots


We spotted that our existing employee contracts didn't contain a confidentiality clause covering client data. That's been rectified, all staff have since singed a dedicated Confidentiality Agreement.

Work in Progress

Audit and Access logs

The very nature of Timetastic means that users can login and see their data and activity, and the excel reports already contain most of the information most will ever need to satisfy themselves. But to ensure data controllers are able to fully meet their obligations in seeing all the processing activities Timetastic undertakes we are implementing a full audit log, available in excel format.


We had no deletion policy on our customer service requests (I suspect this may be the case for many organisations) these requests could indeed contain personal information, was well as email addresses and contact details people sometimes forward spreadsheet and images.

We are in the process of implementing an automate service to delete all customer service emails 12 months after they were created.

Terms and Conditions

We are in the process of updating these to include the specific requirements laid down in article 28.

Articles 28 - a customers right to audit

This is an interesting one and definitely a cause of heard scratching. The requirement is that Timetastic makes "available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller."

We don't disagree with the principle but as of the time of writing we have over 8,000 organisations registered to use Timetastic, if just 5% of those exercised their right to audit we'd be facing 400 audits!

We don't yet have a full solution to this dilemma, one proposal is to implement an audit fee. That's about the only way to ensure that if we did get inundated we'd be able to financially cover the situation, rather than sinking under the paperwork, which is not in our interest or that of any customer.

What we hope to implement is one annual GDPR audit and make those findings of that publicly available, in essence negating the need for any individual customer audits. Please appreciate though, at the time of writing GDPR is new, not even active yet, and hence post implementation audit services are not well defined. Finding an appropriate auditor or reputable self certification scheme is something we're going to have to pursue after 25th May.

Timetastic downtime - 20th Feb

On the 20th February, 2018, at about 20:10, Timetastic had a problem, and was out of action until just after 22:00. We're very sorry about this, it's the last thing we want for our customers.

This blog post goes into detail about what happened, and what we are going to do to help reduce the liklihood of it happening again.

What happened?

We host Timetastic in Microsoft's Azure cloud. At 20:12, they started experiencing problems in their "UK South" region, which is what Timetastic uses. This took our database out of action. The following is taken from the Azure status page:

Summary of impact: Between 20:12 and 21:50 UTC on 20 Feb 2018, a subset of customers in UK South may have experienced difficulties connecting to resources hosted in this region. Impacted services included Storage, Virtual Machines, Azure Search and Backup. Some Virtual Machines may have experienced unexpected reboots.

Preliminary root cause: Engineers continue to investigate a potential power event that occurred in the region, impacting a single storage scale unit.

Mitigation: The impacted storage scale unit automatically recovered.

Next steps: Engineers will continue to investigate to establish the detailed root cause, and the full root cause analysis report will be posted on this Status History page and in the Azure Service Health blade of customers' management portals once completed.

After it was clear that the problem wasn't going to resolve very swiftly, we switched the Timetastic database to use our secondary failover. As soon as this operation was complete, we were able to bring everything back online again.

Mitigation Strategy / Lessons learned

We were able to sucessfully switch (failover) to our database backup hosted in another region. However, it took a while to a) Identify that the failover was going to be required, and b) for the failover to complete.

We're working with Microsoft to determine a more efficient solution to this - so that in the event that Azure has a similar issue, we can failover in a much smaller time window - ideally with no downtime at all!

Once again, we're sorry about this if anyone was affected.