Time Tracking That Passes Your Own Audit

You know the difference between "encrypted" and "end-to-end encrypted."
P256 ECDH key agreement. ChaCha20-Poly1305. HKDF-SHA256.
Your client data is encrypted on your device. It syncs to your iCloud — we never see it.

P256 ECDH ChaCha20-Poly1305 Zero-Knowledge
Download Free Review Our Crypto

Zero-Knowledge

Keys generated on your device. Data syncs to your iCloud, not our servers. We never see your data — not even encrypted.

Modern Crypto

P256 ECDH, ChaCha20-Poly1305, HKDF-SHA256. Apple CryptoKit implementation. No custom crypto.

Auditable

Standard crypto primitives. Apple's audited CryptoKit. Review our implementation.

Sensitive Intel

Your Time Records Are Threat Data

Your timesheet reveals information adversaries would love to have:

  • Client names — Which companies are investing in security (or need to)
  • Engagement types — "Pentest - external perimeter," "IR - ransomware," "Compliance gap"
  • Vulnerability details — Notes about findings before remediation
  • Project timelines — When security assessments are happening
  • Your methodology — What you spend time on reveals your approach

"You wouldn't use a time tracker that stores your pentest notes in plaintext. So why use one that stores client names and engagement descriptions that way?"

The Crypto, Reviewed

For those who want to verify.

Key Agreement

P-256 (secp256r1) ECDH
- Key pair generated on first launch
- Private key in iOS Keychain
  (Secure Enclave when available)
- Public key for derivation only

Key Derivation

HKDF-SHA256 (RFC 5869)
- Domain: "tenths.encryption.v1"
- Per-record 32-byte random salt
- 256-bit derived keys

Symmetric Encryption

ChaCha20-Poly1305 (RFC 8439)
- AEAD construction
- 256-bit key, 96-bit nonce
- Authentication tag prevents tampering

Key Backup

BIP-39 12-word mnemonic
- Standard word list
- Recovers full key material
- Compatible with HW wallet flows

Full Cryptographic Specification

Threat Model

What happens to your data in various scenarios.

Scenario Your Data
Our servers are breached No user data to steal — it's in your iCloud
Rogue employee accesses backend Nothing to access — we don't store your data
Government subpoenas our records Nothing to produce — your data is in your CloudKit
Our company is acquired New owner gets no user data — it was never ours

"This is the architecture you'd recommend to your clients. Now use it yourself."

Security Engagements

Pentest & Assessment Tracking

  • Quick Notes (Encrypted) — "Found SQLi in login portal"
  • Multiple Rate Types — Assessment vs. report writing
  • Flat Fee + Hourly — Track scope creep for future negotiation
Tenths timer tracking security engagement
Incident Response

Time-Critical Tracking

  • One-tap timer start — During active incidents
  • Offline capable — For air-gapped situations
  • Export timeline — For post-incident billing and insurance claims
  • Retainer tracking — Monthly hours with overflow to hourly
Tenths widget for quick timer start

When Clients Ask About Your Security

Your enterprise clients send vendor security questionnaires. When they ask about your time tracking:

Is data encrypted at rest?

Yes. All data is encrypted on-device before storage or sync using ChaCha20-Poly1305.

Is data encrypted in transit?

Yes. iCloud sync uses TLS. Additionally, our data is encrypted end-to-end before transmission.

Who has access to our engagement data?

Only you. Your data is encrypted on your device and syncs to your personal iCloud — we never see it, store it, or have access to it.

Do you have SOC 2?

SOC 2 certifies how a company handles customer data. We don't handle customer data at all — it's encrypted on your device and syncs to your iCloud, not our servers. We have nothing to audit.

Why Not Generic Time Trackers?

Criteria Tenths Generic Tools
Key Management Client-side only Server-side
Encryption E2E (on device) At rest (server)
Vendor Access Zero knowledge Full access
Breach Impact No user data on our servers Plaintext exposed
Crypto Standard P256 + ChaCha20 Unknown/AES

Use Cases

Penetration Tester — Solo Consultant

"I do pentests for 20+ clients a year. Each engagement includes findings that could be weaponized. I can't have that data in a system someone else controls."

Solution: Each client in Tenths, each engagement as a matter. Track recon, testing, and reporting time. Add notes about findings (encrypted). Your client list and findings stay encrypted with your keys.

Security Firm — Multiple Consultants

"We have 8 consultants. We need time tracking for billing but can't have cross-consultant data access."

Solution: Each consultant uses their own Tenths instance with their own keys. Export time to your PSA for consolidated billing. No shared access to client data across consultants — by design.

Incident Responder — On Call

"I get calls at 2 AM for ransomware incidents. I need to track time immediately and accurately for insurance reimbursement claims."

Solution: Widget on your home screen. One tap to start tracking. Add client when you know who it is. Notes about the incident stay encrypted. Export detailed timeline for insurance claim support.

vCISO — Multiple Clients

"I'm fractional CISO for 6 companies. Each thinks they're my only client. Time tracking needs to be airtight."

Solution: Each company as a separate client. Track advisory hours, meeting time, project work. No risk of exposing Client A's engagement while working for Client B. Export separate invoices per client.

For Professionals Who Value Security

Free tier works indefinitely. Upgrade when you need more exports.

Free
$0

Try the architecture

  • Unlimited clients/engagements
  • Full E2E encryption
  • iCloud sync
  • AI Assistant
  • 1 export per month
Get Started
Plus
$8.99/mo

Active consulting practice

  • Unlimited clients/engagements
  • Full E2E encryption
  • iCloud sync
  • AI Assistant
  • Unlimited exports
Start Free Trial

Technical FAQ

Can I audit your crypto implementation?

We use Apple's CryptoKit for all cryptographic operations — no custom crypto. Our implementation follows standard patterns. We're open to security researcher review.

What if Apple has a CryptoKit vulnerability?

We use CryptoKit because it's audited, hardware-accelerated, and maintained by Apple's security team. If a vulnerability is found, we update with the OS. This is better than rolling our own crypto.

Is my data in iCloud?

Your encrypted data syncs to your personal iCloud account via CloudKit. We never see it. Apple sees only ciphertext in your private CloudKit container. Your data never touches our servers.

Can I self-host?

No. But you don't need to — we can't access your data anyway. Self-hosting would require us to build server infrastructure and you to maintain it. Our architecture makes that unnecessary.

Do you have API access?

Not currently. API access would require us to process requests with your data, which conflicts with our zero-knowledge model. Export to CSV/Excel for integration.

Use the security architecture you'd recommend

P256 + ChaCha20. Zero-knowledge. Free to start.

Download on the App Store Review the Crypto