Built for European compliance. No surveillance.
SSO, MFA, audit logs, isolated infrastructure, and EU-only hosting — without screenshots, webcam monitoring, or keystroke logging.
Compliance that is specific, not a buzzword
We built Hourvio in Germany and every byte of customer data lives on European servers in Germany. GDPR is not a feature we charge extra for — it is the default on every plan, including Free. Our company, Hexa Logic UG (haftungsbeschränkt), is subject to German and EU law, and our data processing agreement is part of the subscription, not an upsell.
From the Professional tier onward, every workspace runs on isolated infrastructure: a dedicated database and a dedicated application server per customer. No shared pools, no noisy neighbors, no cross-tenant query paths. Business adds SAML and OAuth SSO with domain whitelisting and an audit log with configurable retention up to ten years.
We do not take screenshots of your team. We do not record their cameras. We do not log keystrokes or track the mouse. We do not score people on productivity heat maps. Hourvio records time the user and the manager choose to record, and nothing else. If you want employee monitoring, Hourvio is the wrong product. If you want a time tracker that trusts your team, you are in the right place.
SAML 2.0 SSO (Business)
Configure an identity provider with metadata URL, entity ID, SSO URL, and certificate. Supports enterprise-grade identity infrastructure.
OAuth 2.0 SSO (Business)
Configure OAuth 2.0 providers with client ID, client secret, issuer, authorization URL, and token URL. Run alongside SAML if you need both.
Multi-provider SSO
Run multiple SSO providers side by side for subsidiaries, acquired teams, or mixed identity systems. Enable or disable each independently.
Domain whitelist and SSO enforcement
Restrict SSO to specific email domains and force those domains to sign in exclusively via SSO. Passwords disappear from the equation.
MFA with TOTP (Starter)
TOTP-based MFA with QR enrollment works with Google Authenticator, Authy, 1Password, and any standards-compliant app. Admins can enforce it workspace-wide.
Password policies
Eight-character minimum enforced everywhere, bcrypt hashing, and httpOnly cookies with SameSite strict and path scoping on every session.
Audit log with retention (Business)
Append-only audit log for every state-changing action, with user, IP, timestamp, and field-level diffs. Retention configurable from thirty days to ten years.
Isolated infrastructure (Professional+)
From the Professional tier, every workspace runs on a dedicated database and application server. No shared pools, no cross-tenant paths.
EU hosting only
All customer data lives in German data centers. No transatlantic data transfers, no US processors, no dependency on the Privacy Shield saga.
On-Premises deployment option
For teams that must host the product in their own data center, an On-Premises deployment is available with its own support track.
SSO with SAML or OAuth, multi-provider
Configure identity providers directly in workspace settings. SAML 2.0 for enterprise identity systems, OAuth 2.0 for modern providers, and both together if your team spans acquisitions. Add domains to the whitelist, enforce SSO-only sign-in for those domains, and let auto-provisioning create new user accounts from the SSO assertion the first time someone logs in. Everything stays inside your workspace settings. No third-party identity proxy, no surveillance.
- Configure SAML 2.0 and OAuth 2.0 providers in workspace settings
- Run multiple providers side by side and enable each independently
- Domain whitelist restricts SSO to the email domains you approve
- SSO enforcement removes the password option for whitelisted domains
- Auto-provisioning creates accounts from the SSO assertion on first login
- Edit or delete providers without breaking existing sessions
MFA that is mandatory, not optional
Users enroll TOTP-based MFA by scanning a QR code with Google Authenticator, Authy, 1Password, or any standards-compliant app. Admins can enforce MFA workspace-wide, and on next login every user without MFA lands on the enrollment page before they can access anything else. If a user loses their phone, an admin can reset their MFA and force re-enrollment without touching any other account state.
- TOTP with QR enrollment; manual secret fallback for edge cases
- Workspace-wide enforcement with one admin toggle
- Users blocked from the app until MFA is enrolled when enforced
- Admin MFA reset for lost devices, audit-logged
- Session security with httpOnly cookies and short-lived access tokens
- Refresh tokens rotate without interrupting active sessions
Audit log with long retention
Every state-changing action in the workspace is recorded in an append-only audit log: user, IP address, timestamp, action, entity, and a field-level diff of old and new values. Filter by user, by action, by entity type or ID, or by date range. Export the result to CSV up to fifty thousand rows per export. Retention is configurable from thirty days to ten years, so the log matches your compliance program without carrying unnecessary data forever. No screenshots, no cameras, no productivity scoring — just the actions people actually took.
- Append-only log of every state-changing action, no updates, no deletes
- User, IP, timestamp, action, entity, and JSON diff per entry
- Filter by user, action, entity type and ID, or date range
- CSV export up to fifty thousand rows per operation
- Retention configurable from thirty days to ten years
- Tracked events cover users, projects, entries, approvals, invoices, workspace config, and API keys
Built for these teams
Related features
Team management
Role-based access, direct supervisors, and module visibility flags sit on top of the authentication layer and are fully audit-logged.
Calendar & integrations
Calendar sync is authorized per user with OAuth, so nobody else sees your events.
Time tracking
Every time entry is tied to a user, a workspace, and an approval state. No screenshots, no cameras, no keystroke logging.
Available from the Business plan
See pricingEuropean compliance without the surveillance
Join the Early Access list and we will email you the moment your workspace is ready. No credit card, no commitment.