Security and Compliance

At Desk365, we prioritize the security of our customers and their data, placing it at the forefront of our operations and development of our enterprise-level customer support platform. Our security measures extend through various facets of our organization, including recruitment processes, software design, data center operations, and more.

SOC 2 Type 2

Our SOC 2 Type 2 accreditation confirms that Desk365 has undergone a comprehensive audit and consistently upholds top-tier industry standards for data protection and confidentiality through our security policies and controls.

Learn More

Cloud Infrastructure Security

Our platform infrastructure is primarily hosted on AWS Cloud, situated within virtual private clouds (VPC) that we set up and oversee. This configuration adds an extra layer of protection against unauthorized network requests. AWS is dedicated to securing the foundational infrastructure we rely on. They consistently enhance their compliance programs to ensure a robust security environment.
 

Learn more about AWS data center security: Secure Design – AWS Cloud Security

All Desk365 data is hosted in AWS data centers in the United States and European Union. The Desk365 Teams Bots are hosted on Microsoft Azure, situated within virtual private clouds(VPC) that we setup and oversee.

Privacy & GDPR Compliance

Desk365 understands the importance of privacy protection, which is why we maintain a robust security program. We are fully compliant with GDPR regulations, and we manage our customers’ personal data with the utmost care and respect, adhering to the guidelines set forth in our terms of service and privacy policy.

HIPAA Compliance

Desk365 prioritizes the security and privacy of customers’ health information by adhering to the stringent requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Our platform is designed to support HIPAA compliance, enabling businesses to securely manage and protect electronic Protected Health Information (ePHI).

Learn more – https://help.desk365.io/en/articles/ensuring-hipaa-compliance-in-desk365/

Secure Personnel

Our Security team, which reports directly to the CEO, manages all security dimensions within the organization, including Cloud Infrastructure and Product Security. We prioritize security from the outset, incorporating it into our hiring practices, training programs, and various internal operations.
 

Background Checks:

Before being hired, all prospective employees are subject to comprehensive background and reference checks. These checks are designed to verify the credentials and histories of candidates to ensure they meet our organizational standards for integrity and reliability.
 

Security Training:

We provide regular security training to all departments and organizational units. This training raises awareness of various security threats such as social engineering and phishing, and equips employees with tools and best practices to mitigate these risks.

Application Security

We provide the following application security measures and highly recommend them to secure your helpdesk and data associated with it.

Secure Authentication:

You can enforce strong authentication rules for all your users. We recommend utilizing Azure AD single sign on (if your organization uses Microsoft 365) to access Desk365.

Role-based Access:

To limit access based on the principle of least privileged access and prevent conflict of interest, you can enforce differential access based on the user’s responsibilities.
 

Access Administration:

You can establish processes to provide appropriate access to your users and remove accesses that are no longer valid.

Data Security

We implement numerous strategies to ensure the highest security of all customer data, including the following:

Encryption in Transit:

Data transmitted to Desk365, whether through our applications, Microsoft Teams, or APIs, is always protected with HTTPS/TLS encryption. We use a minimum of the TLS 1.2 protocol, RSA encryption, and 2048-bit keys to secure data transmissions, ensuring user data remains safe when accessed via public untrusted Wi-Fi or private networks like those at home or in the office.

Encryption at Rest:

All stored data is secured on encrypted volumes using one of the strongest block ciphers available, the 256-bit Advanced Encryption Standard (AES-256), to ensure the confidentiality and integrity of your data.
 

Compute Security:

Desk365 applications are hosted on securely isolated virtual machines (VMs) provided by AWS Elastic Compute Cloud (EC2) and related services. AWS ensures that VMs do not share common memory space and fully scrubs them upon deletion.

Network Security:

All VMs are situated within isolated AWS Virtual Private Clouds (VPC). VMs handling sensitive data are placed in private networks within the VPC, preventing direct external access.

Firewall Security:

The VMs are configured with specific firewall rules that only open the ports necessary for the required applications and services to operate, and only to designated servers that require access.

Engineering Practices

We adhere to numerous engineering best practices specifically designed to meet the changing security demands of cloud-based services like ours.

Secure by Design:

Security measures are incorporated from the beginning stages of software design, making them a fundamental part of the development process.
 

Incident Response Plan:

This is a detailed plan that outlines the actions to be taken in case of a security incident, aimed at minimizing damage and facilitating a swift recovery.
 

Secure DevOps:

Security practices are woven into the DevOps cycle, ensuring that security is upheld at every stage of the software development lifecycle.

Access and Permission Controls:

Software access for employees is granted based on the Principle of Least Privilege (POLP), ensuring they have only the access necessary for their roles. Access is revoked upon departure from the organization, and regular audits are conducted to ensure access remains aligned with job requirements.
 

Vulnerability Assessment and Penetration Testing:

We regularly engage an independent security firm to perform Vulnerability Assessment and Penetration Testing (VAPT). Through close collaboration with this firm, we thoroughly investigate any security breaches that are detected and assess their impact. Should any issues arise, we are committed to addressing and resolving them swiftly.

Uptime and Data Availability

We strive for 99.99% across all our applications. For enhanced availability, our systems automatically duplicate your data in real time across multiple locations. We also maintain daily backups to guarantee swift recovery in the rare scenario of all data replicas failing simultaneously. Our monitoring system promptly notifies us of any issues, and we have on-call staff 24/7 ready to manage any unforeseen incidents.