- Our service providers operate state-of-the-art data centers which are externally audited to the A SSAE 16 SOC 1 Type I standard and are ISO 27001 compliant. 24/7 on-site staff, biometric security procedures, and round-the-clock surveillance monitoring maintain protection against unauthorized entry and physical security breaches.
- Deskpro maintains contractual relationships with vendors to provide the Service in accordance with our Data Processing Agreement. Deskpro relies on these contractual agreements, privacy policies and vendor compliant programs to protect the data processed and stored by our vendors.
- All customer data is immediately written to disk and backed up across multiple locations. Our core databases are replicated and stored in additional datacenters. These datacenters are run by a variety of US and EU providers for extreme redundancy in the unlikely event of a multi-datacenter failure.
- We retain daily backups of all databases. All attachments are stored in Amazon S3, which includes high-availability backup services - we maintain our own backup servers too, just in case.
- Should you no longer wish to use Deskpro, we maintain backups of your accounts for 60 days - after which your data is completely deleted from all our systems.
- Deskpro is protected via SSL for data in transit. This means your connection with the Deskpro service is encrypted, and SSL encryption is available for both Cloud and On-Premise deployments. All cloud customers have SSL encryption enabled at part of their plan and we do not support non encrypted access to the Deskpro service.
- We also use consistently up-to-date server software; regularly patched and updated with the latest security implementations.
- We fully automate deployment of servers, and use tested processes to create and manage the utmost server security. Our systems are password protected, limited to authorized IPs, encrypted where relevant, use two-factor authentication. Deskpro system audit logs are always maintained and checked for anomalies, and we use contracted third-party DDoS providers to protect from distributed attacks.
- All Deskpro staff are trained in security best practices, and constantly maintain knowledge of the evolving application security landscape. Our software is always kept up to date, and all customers are upgraded to the latest version of the software automatically.
- Deskpro has been built to mitigate common attack vectors; such as SQL injection attacks and cross-site scripting attacks (XSS). We hash passwords with a salt, because hashing passwords is more secure than encrypting them. We don’t maintain access to original passwords, so even in the unlikely event of a database compromise - all passwords would remain secure.
- All access to Deskpro is logged for reference, and helpdesk tickets include a full audit log - meaning any action performed on a ticket can be traced back in full. We also include an Admin Log of actions, so any changes made to the system can monitored.
- Deskpro is tested with unit testing, human auditing, application penetration testing, static analysis and functional tests. To find out more about how to secure your Deskpro On-Premise installation, see our security recommendations in the Sysadmin Manual.
- Deskpro uses a number of services including pingdom, serverdensity, Cloudwatch, Scalyr, Newrelic, and others to monitor server performance.
EU-US Privacy Shield
- Our data enters and any other sub-contracted Data Processors in the United States are EU-US Privacy Shield certified and any transfer of EU data to the United States is subejct to the provisions of our Data Processing Agreement.
- Deskpro doesn’t store credit card data. We use external PCI compliant services (Spreedly and Stripe) to provide billing services. Your credit card data momentarily passes through our servers, and for this reason we are verified as Payment Card Industry Data Security Standard (PCI DSS) compliant.
- If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.
- For details on how to contact us regarding security issues, please see Responsible Disclosure.