Assuring the confidentiality of data that your customers trust you with is one of your core operational imperatives. When handling this data for you, our top priority is to deliver a high performance service where the safety of customer data is at the forefront of all decisions we make.
Our service provider’s state of the art data centers are externally audited to A SSAE 16 SOC 1 Type I standard. 24x7x365 on site staff combined with biometric security and round-the-clock surveillance monitoring maintain protection against unauthorized entry and security breaches.
All your data is immediately written to disk and backed up in multiple locations. Our core mySQL datastores are replicated to additional datacenters run by different providers in both the US and the EU for extreme redundancy in the unlikely event of a multi-datacenter failure. We also retain daily backups of all databases. Attachments are stored in Amazon S3 which includes high availability backup as well as on our own backup servers.
Should you leave the DeskPRO service; we maintain backups of your accounts for 60 days; after which your data is completely deleted from all our systems.
- DeskPRO’s service is protected via SSL. Your connection with the DeskPRO service is encrypted. SSL encryption is available on all DeskPRO plans.
- DeskPRO uses up to date server software which is regularly patched and security updates implemented.
- DeskPRO automates its deployment of servers. We have tested and maintained processes to create and manage secure servers.
- All DeskPRO systems are password protected, limited to authorized IPs, encrypted where relevant, use 2 factor authentication and audit logs are maintained.
- DeskPRO uses contracted 3rd party DDoS providers to protect from distributed attacks.
- DeskPRO staff are trained in security best practices and constantly follow the evolving standards and best practices.
- The DeskPRO software is always up to date; all customers are upgraded to the latest version of the software automatically.
- DeskPRO has been written to mitigate common attack vectors such as SQL injection attacks and cross-site scripting attacks (XSS).
- DeskPRO hashes passwords with SHA1 algorithm and a salt. Hashing passwords is more secure than encrypting them; we don’t have access to the original password so even in the event of a database compromise; these passwords would remain secure.
- Access to DeskPRO is logged.
- Tickets in DeskPRO include a full audit log so any action performed on a ticket can be traced back to the person who made those changes.
- DeskPRO includes Admin Log of actions to customers so any changes made to the system can monitored.
- DeskPRO is tested with unit testing, human auditing, application penetration testing, static analysis and functional tests.
To find out more about how to secure your DeskPRO On-Premise installation, see our security recommendations in the Sysadmin Manual.
We use a number of services including pingdom and serverdensity to monitor our servers performance. Pingdom reports our uptime as 99.97% for the last month at the time of writing (Dec 2013).
Safe Harbor Compliant
Our datacenters in the United States are Safe Harbor compliant.
DeskPRO does not store your credit card data; we use SagePay to provide billing services. Your credit card data does momentarily pass through our servers and for this reason we are verified as Payment Card Industry Data Security Standard (PCI DSS) compliant. This compliance is handled by Security Metrics and includes a self-questionnaire and quarterly security scan of our servers.
Responsible Disclosure Policy
Our responsible disclosure policy can be found here. We wish to thank the following security researchers:
- Rohan Kumar Birtia @c0ld_b00t3r
- Osama Ansari @AnsariOsama10
- Simone Memoli
- Shahmeer Amir @Shahmeer_Amir
- Babar Khan Akhunzada
- Ali Kabeel
- Hamid Ashraf
- Hammad Shamsi @HammadShamsii
- Salman Khan Champion Dezign Burg
- Owais Ahmed Siddiqui
- Nitin Goplani
- Shahzee Mirza @shaheemirza
- Daksh Patel @Dakshxss
- Shivam Kumar Agarwal @netanalysts
- Ankit Bharathan @provensec