Security

The security of your data has always been a priority for us. Whether you choose to deploy your helpdesk on the Cloud or On-Premise, we are committed to protecting and securing your data.

Compliance certifications and regulations

Security by design

Deskpro is committed to constantly maintaining knowledge of the evolving application security landscape and ensuring that security best practices are up-held across the whole organization.

We provide customers with a vast array of customizations including customers being able to choose how to deploy Deskpro, either on Cloud or On-Premise (self-hosted), and where your data is stored.

For our cloud hosting, we use industry-leading AWS. You can view their security page here.

Protecting Your Data

The aim of Deskpro's security practice is to prevent any unauthorized access to customer data.

We are always looking at ways in which we can improve the security of Deskpro taking exhaustive steps to find and mitigate risks.

Regular management security reviews are in place to address any areas that we believe can be improved upon and further secured. Implementation of this may be through new security certification, compliance or 3rd party testing to ensure best practices and improve security across the whole of Deskpro.

Security Features

  • 24/7 on-site security teams
  • Least Privilege Access
  • Full daily backups
  • 256-bit Advanced Encryption Standard (AES)
  • Two Factor Authentication
  • Vulnerability Scanning
  • Mitigating common attacks
  • Annual penetration testing

Security white paper

Learn more about how Deskpro ensures the data in your helpdesk is always secure, whether you choose Cloud or On-Premise deployment.

Read the security white paper

GDPR compliance

GDPR is the most significant change to European data privacy legislation in over 20 years. Deskpro provides tools in product, as well as our DPA, allowing you to be GDPR compliant using Deskpro.

Request our DPA

Platform Uptime

Deskpro maintains a high level of availability on the cloud platform, averaging over 99.9%. You can check the status of the cloud software on our publicly available status page.

Check the current status

Physical Security

Facilities

Our cloud service data-center provider (AWS) operate state-of-the-art, ISO27001, PCI DSS Level 1, HIPAA, EU-US Privacy Shield & SOC 2 Type compliant data centers. Automated fire detection and suppression systems are installed in networking, mechanical, and infrastructure areas. All AWS data centres are constructed to N+1 redundancy standards.

On-site security

Our data center facilities have 24/7 on-site staff, physical access points to server rooms covered by CCTV, biometric security procedures, and round-the-clock surveillance monitoring maintain protection against unauthorized entry and physical security breaches. They also require background checks for all employees as part of pre-employment screening processes.

Server Monitoring

AWS' Global Security Operation Centers conducts 24/7 monitoring of data center access activities, with electronic intrusion detection systems installed in the data layer. Systems constantly monitored by Deskpro Security Team.

Locations

Deskpro offers deployment of cloud accounts onto data centers located in either the US, UK or EU. Customers can choose which region they wish to exclusively host their data in.

Uninterruptible Power Supply

Each facility is equipped with an uninterruptible power supply (UPS) and backup generators, incase of power disruption.

Hard Perimeter

Each of our Data centers have controlled Perimeter Layer with 24/7 on-site security teams, restricted and controlled physical access, multi-factor authentication, electronic intrusion detection systems and door alarming.

Data Center

  • 24/7 on-site security teams
  • CCTV
  • Biometric security procedures
  • Round-the-clock surveillance monitoring

Network Security

Dedicated Security Team

Deskpro has a Security Team that are distributed across the globe. They provide 24/7 monitoring and response to security incidents and alerts.

Firewalls

Deskpro’s public facing network is protected by Cloudflare Enterprise which acts to filter all incoming traffic from the internet. Public facing email servers are protected by AWS Shield, which similarly monitors and filters incoming traffic from the internet. No other services or access is provided to the public internet.

Architecture

Within Deskpro’s internal private network that is not accessible from the public internet, we employ AWS security groups and IAM controls to lock-down communication between components so access to services must be granted explicitly on an as-needed basis. We make it impossible for systems to interact with each other without our explicitly configuring it and planning for it.

DDoS Mitigation

Deskpro system audit logs are always maintained and checked for anomalies, and we use contracted third-party DDoS providers to protect from distributed attacks. Including both AWS Shield Guards and CloudFlare.

Least Privilege Access

Access to hosting servers and live environments are provided on least privilege access. A very limited number of employees have access to live environments, that also require multiple levels of security access.

Security Incident Response (Team)

Deskpro monitors cloud service 24/7 and has a response team on call 24/7 to respond to security incidents. Our hosting providers, AWS, also provide 24/7 global monitoring and support for the multi-location datacenters that are used for Deskpro Cloud.

Vulnerability Scanning

Vulnerability scanning is undertaken across the network to identify any potentially vulnerable systems and allow security teams to quickly review any weak points.

Platform/Product Security

Development

Billing Security

Deskpro doesn’t store credit card data. We use external PCI compliant services (Spreedly and Stripe) to provide billing services. Your credit card data momentarily passes through our servers, and for this reason we are verified as Payment Card Industry Data Security Standard (PCI DSS) compliant.

Quality Assurance

We have a dedicated Quality Assurance (QA) department that tests, reviews and triages our code base. For every update or release to the software, testing is performed by development, support and QA teams with a multi-level approach.

Separate/Different Environments

There are separate environments for both staging and testing. These environments are separated both logically and physically from the live-production environment. No customer data is used in testing or development.

Penetration Testing

Deskpro is tested with unit testing, human auditing, application penetration testing, static analysis and functional tests. Third party penetration testing is also completed on an annual basis.

Mitigating common attacks (XSS, CSRF, SQLi)

Deskpro has been built to mitigate common attack vectors; such as SQL injection attacks and cross-site scripting attacks (XSS). Deskpro Cloud also takes advantage of CloudFlare's enterprise-grade Web Application Firewall (WAF) to automatically block or challenge suspicious requests.

Encryption

Data at Rest

All customer data stored encrypted on AWS servers (with the AES-256 encryption algorithm).

Data in Transit

Any data that is transmitted into and from the Deskpro platform is encrypted over-the-wire in line with industry best-practices. Web traffic over HTTP is secured by CloudFlare with TLS 1.2 or 1.3 using proven-secure cipher suites. More information about SSL/TLS at CloudFlare can be found here.

Software

Single Sign On

Admins can configure multiple options for SSO to the Deskpro platform, including OneLogin, Okta, Azure, SAML, and JWT authentication. There are different configuration options available for SSO enabling you to customize how it interacts with agents/users.

Two Factor Authentication (2FA)

Deskpro enables 2FA through your SSO provider for admins, agents, and users.

API Security & Authentication

The Deskpro API is a REST-based API that runs securely over HTTPS. API requests can only be made by verified users. API Authentication can be done through OAuth, API keys, or using short-lived API tokens.

Custom Password Policies

Customizable Password Policies can be enabled for both agents and users. This includes the ability to set minimum password length, forbidding password reuse, mixture of numbers and characters and forcing users to change their password after a certain amount of time.

Audit Logs

Comprehensive audit logs are kept for changes made by administrators. They provide records including type, action, performer and timestamp that it was executed. Activity logs for agents can also be viewed by admins, showing activity such as ticket replies or online time.

Availability & Security Incidents

Uptime

Deskpro maintains a high level of availability on the cloud platform, averaging over 99.9%. There is a publically available status page, where you can check the status of the cloud software and its components here.

Redundancy

We use AWS with redundancy over at least two availability zones, with database backups offering 35-days worth of point-in-time recovery if needed. Additional encrypted off-site backups are updated daily.

Responding to Security Incidents

We have established procedures and policies with regards to responding and communicating about security incidents from our Security Team.

The level of the security incident, will dictate how we communicate and respond to our customers. If a security incident does occur, you will be kept updated via our Customer Success team. They will be on hand to help and support you through the incident regarding updates.

All of our procedures and policies regarding responding to security incidents are evaluated and updated on at least an annual basis.

Disaster Recovery and Business Continuity Plan

In the case of an emergency or critical incident at any Deskpro premises, a business continuity plan has been put in place.

This was created so that we can continue to function as a business for our customers, no matter the scenario. The business continuity plan is tested and checked on an annual basis for applicability and any additional improvements that could be made.

Data Retension and Disposal

Backups

Backup Duration

Should you no longer wish to use Deskpro, we maintain backups of your accounts for 60 days - after which your data is completely deleted from all our systems.

Number of backups

Primary backups offer point-in-time recovery for 35 days. Encrypted offsite backups are updated daily.

Disposal

Deleting Data

Your data is securely deleted immediately from our primary data stores upon request. Encrypted offsite backups of your data get purged through regular backup rotation every 60 days.

Removing Hardware

Any hardware no longer in use is fully wiped, and disposed of using regulated disposal service in accordance with ISO27001 compliance.

Organizational Security

Endpoint Security

Workstation Set-up

Before anyone joins Deskpro as an employee, their workstation is set-up and configured to comply with all of our security policies. These policies require that all workstations are configured to a high level and complying with security certification standards such as ISO27001 & Cyber Essentials Plus.

Each workstation has data encrypted at rest, strong passwords (managed by a secure password management vault), location tracking enabled and screens automatically turning off when idle.

Monitoring

SA central management system is used to monitor, track and report on malware, unauthorized software and removable storage devices. This is to ensure that all workstations are up to date with patches and security. We also have a strict no-removable storage device policy.

Any mobile devices (phones or tablets) used for work purposes are part of a mobile device management system for location tracking, secure passwords and SSO.

Confidentiality

All new hires are screened during the hiring process. On commencement of employment at Deskpro, employees, contractors and cleaning crews are required to sign a Non-Disclosure and Confidentiality agreement. This is also up-held post-employment contract.

Sensitive Information Access

Provisioning

Only certain people within the organization are given access to sensitive information. It is on a need-to-know basis with role based permissions, to enable employees to perform their job to the best of their ability.

Our access control policy is implemented internally and within Deskpro we have multiple levels of security clearance. Some access, such as extended support or screen-sharing scenarios is performed on a client-agreement basis.

Authentication

To increase the security even further, Deskpro uses Two Factor Authentication (2FA) for systems that contain sensitive or personal data.

The use of Single Sign On (SSO) for employee’s enables management to disable or change access to all applications instantly. This is used when an employee leaves Deskpro or their access needs to be removed.

Password Management

As part of our internal password policy, Deskpro requires all employees to use an approved password manager. This is to ensure passwords are strong, kept in a secure location, regularly changed and not re-used. Where necessary, the password manager alerts users to any potential password risks to maintain high-level security at all levels.

Vendor Management

Sub-service organizations

In order for Deskpro to run efficiently, we rely on sub-service organizations to help us deliver our service.

When selecting a suitable vendor for a required service, we take the appropriate steps to ensure that the security and integrity of our platform is maintained. Every sub-service organization is heavily scrutinised, tested and security checked prior to being implemented into Deskpro.

Vendor Compliance

Deskpro monitors the effectiveness of these vendors and they are reviewed annually to confirm their continued security and safeguards are being upheld. You can view a list of our current sub-service organizations here.

Sub-processors

In any situation where the use of one of these sub-service organizations could potentially impact the security of Deskpro, we take appropriate steps to mitigate the risk. This includes establishing agreements and ensuring that they are compliant with relevant certifications or regulations, such as GDPR.

External Validation

Security Compliance Audits

Deskpro is always actively searching, monitoring and improving our security set-up. This is through regular checks and assessments from both our internal security team and 3rd party assessors.

All results are shared with the management team and discussed in-depth at security management reviews. Recent security audits and certifications include ISO27001, PCI, Cyber Essentials Plus, CSA Star, G-Cloud 11 & GDPR Readiness. You can view our list of certificates here.

Our access control policy is implemented internally and within Deskpro we have multiple levels of security clearance. Some access, such as extended support or screen-sharing scenarios is performed on a client-agreement basis.

Penetration Testing

Independent penetration testing by a certified CREST CHECK 3rd party is carried out on at least an annual basis. The penetration tests performed are focussed on security, infrastructure and product. Results of these tests are shared and acted upon by both the Security and Higher Management teams.

Our annual testing also includes both external and internal network vulnerability scans, with certification for Cyber Essentials Plus. All 3rd party penetration tests are carried out by consultants certified to CREST standards.

Customer Driven Audits

We appreciate that in certain circumstances, an organization may require further audits or penetration testing to be conducted, before purchase of Deskpro can be made. We welcome customers to perform their own penetration testing on Deskpro environment. If you wish to arrange one, please contact support for scheduling this, and for further pricing.

Responsible Disclosure

If you are a security expert or researcher, and you believe that you have discovered a security related issue with Deskpro’s online systems, we appreciate your help in disclosing the issue to us responsibly. We have a Responsible Disclosure program. We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it.

Certification / Compliance

  • ISO27001
  • Cyber Essentials
  • Cyber Essentials Plus
  • CSA Star
  • GDPR
  • G-Cloud
  • PCI-DSS
  • EU-US
  • Privacy Shield
  • Swiss-US Privacy Shield

Ready to get started?

Try Deskpro for free. No credit card required. 30 second signup.