Security at Deske.

Encryption isn’t a feature — it’s a floor. The rest of this page is what’s between the floor and a security program we’re proud to compare to anyone’s.

What we do today

The baseline, in plain language. Everything below is in production today.

• Encryption in transit (TLS) for all traffic between users, the Deske app, and our infrastructure.
• Encryption at rest for stored data using industry-standard AES-256 via our database provider.
• Passwordless email-code authentication — no passwords stored, codes expire after a short window.
• Per-tenant isolation so one business’s data is never visible to another. Membership-scoped queries on every read.
• Audit logging for admin-level changes (team invites, role changes, billing edits).
• Daily backups with point-in-time recovery; backups are encrypted at rest.

What we’re working toward

Real work-in-progress items, not certifications we already hold.

• Formal incident response and breach notification procedures.
• Third-party penetration test engagement before public launch.
• SOC 2 Type I report — targeting the back half of the year once the pen-test loop closes.

We do not currently hold SOC 2, sign BAAs, or claim HIPAA compliance. We will say so on the day we do.

Subprocessors

The third-party services we use to run Deske cover hosting, voice provisioning, SMS, email, payments, and observability. Each one is bound by a data-processing agreement, scoped to the narrowest data it needs. A current subprocessors list is available on request — email security@deske.ai.

Reporting a security issue

If you’ve found a vulnerability, please email security@deske.ai. We’ll respond within two business days. We don’t run a public bounty program yet — when we do, we’ll publish a scope and a payout grid. Until then, we’ll thank you in the release notes and, if you’d like, coordinate disclosure on your timeline.