Security Policy
Published on: 21st March 2024
Your security is very important to us! Here is a summary of what we do every day to guarantee that your data is safe with Seldesk and that we apply the best security practices on our hosted version, the Seldesk Cloud.
Secure by design:
Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with our code analyser tools, vulnerability scanners, and manual review processes.
Our robust security framework based on OWASP standards, implemented in the application layer (layered architecture), provides functionalities to mitigate threats such as SQL injection, Cross site scripting and application layer DOS attacks.
Physical Security
SELDESK Cloud servers are hosted in trusted Data centers in various regions of the world, and they must all exceed our physical security criterions: Restricted parameter will be physically accessed by authorized data Center employees only.
System Security
All our SELDESK Cloud servers are running hardened Linux/windows distributions with up-to-date security patches. We have few trusted SELDESK engineers who shall have clearance to remotely manage the servers - and access is only possible using SSH key pairs (password authentication disallowed). Installations are ad-hoc and minimal to limit the number of services that could contain vulnerabilities (no PHP/MySQL stack for example).
Software Security
The SELDESK framework prevents RPC access to private methods which makes it harder to introduce exploitable vulnerabilities. The software is designed in a way that prevents introducing the most common security vulnerabilities. SQL injections are prevented by the usage of higher-level API that does not require manual SQL queries.
Database Security
Your data is stored in a dedicated database. Access control rules implement complete isolation between Your databases running on the same cluster and hence no access is possible from one database to another. We hold the data in your account as long as you choose to use SELDESK Services. Once you terminate your SELDESK user account, your data will eventually get deleted from active database during the next clean-up that occurs once in 6 months. The data deleted from the active database will be deleted from backups after 3 months.
Network Defence
SELDESK Cloud have very large network capacities, and firewalls. Intrusion prevention systems on SELDESK Cloud servers help detect and block threats such as brute-force password attacks. The infrastructure of the Servers have been strictly designed to withstand their infrastructure to withstand the largest Distributed Denial of Service (DDoS) attacks. Their automatic and manual mitigation systems can detect and divert attack traffic at the edge of their multi-continental networks, before it gets the chance to disrupt service availability.
Credit Card Safety
Your credit card information is transmitted securely between you and our PCI-Compliant payment acquirers directly. We never store credit card information. All the auto Renewals if approved by you will be done through a third-party PCI-Compliant payment acquirer.
Data Center
The Data Center where your data is stored is selected automatically based on the Country chosen by you while signing up for SELDESK services. The information regarding the Data Center and location data stored has been selected is displayed below the sign-up form.
Password Security
Your Login passwords That you use to access SELDESK services are stored in a non-reversible encryption. We specifically use bcrypt hashing algorithm and also PBKDF2+SHA512 encryption with per-user-salt. Even if our login database Were stolen stolen, it would be prohibitively expensive to reverse engineer the passwords. SELDESK staff does not have access to your password, and cannot retrieve it for you, the only option if you lose it is to reset it. Login credentials are always transmitted securely over HTTPS.
Dedicated Incident Response
For incidents, we will notify users through our regular events update blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address). The Complete report will be provided to you on request within 5 to 7 working days.
Backups / Disaster Recovery
We have implemented auto backup and will keep 24 full backups of each SELDESK database for up to 4 months. Backups are replicated in 2 different Data centers. We actively monitor our daily backups, and they are replicated in multiples locations on different continents. We have automated provisions to deploy our services in a new hosting location. Restoring the data base on previous day backups can then be performed in few hours (for the largest clusters), with priority on the paid subscriptions. We routinely use both the daily backups and provisioning scripts for daily operations, therefore both parts of the disaster recovery procedure are tested all the time.
Hardware failover:
We have local hot standby replication server implement with monitoring and a manual failover procedure that takes less than 90 minutes. Disaster recovery: In case of complete disaster with a data Center entirely down for an extended period, preventing the failover to our local hot standby, we have the following objectives:
(i) You may lose maximum 18 hours of work if the data cannot be recovered and we need to restore your latest daily backup. (ii) You may lose maximum 12h for paid subscriptions, 90h for free trials, education offer, preemium users, etc.
You need to contact our Helpdesk to download a manual backup of your live data at any time using the control panel. You can contact our Helpdesk to restore any of those backups on your live database (or on the side).
Staff Access To account
Our service and support special staff access improves efficiency and security and they can immediately resolve the problem. Our Helpdesk staff strives to respect your privacy as much as possible, and only access files and settings are needed to diagnose and resolve your issue. Our helpdesk staff may sign into your account to access settings related to your support issue. For this they use their own special staff credentials, not your password (which they have no way to know).
Communications
SELDESK cloud servers are kept under a strict security watch, and are always patched against the latest SSL vulnerabilities. All web connections to client instances are protected with state of the art 256-bit SSL encryption with robust 2048-bit modules and full SHA-2 certificate chains.
Independent Security Audits
SELDESK is regularly being audited by our Security Team and Appropriate corrective measures are taken whenever it is necessary.
Share my Data for the purpose of Law Enforcement
When we receive requests from law enforcement authorities, we review such requests to see if the applicable legal process is followed to obtain a valid and binding order. We object to overboard or otherwise inappropriate requests. Unless prohibited by law, we will notify you before disclosing your data so that you can seek protection From such disclosure. Please note thatYour privacy is of paramount importance to us.