ScaleDesk360 is built with security-first architecture. We maintain the certifications, practices, and transparency your compliance team demands.
Verified by independent auditors. Documentation available upon request.
Independently audited controls for security, availability, and confidentiality. Report available under NDA.
Full compliance with EU General Data Protection Regulation including DPA, data subject rights, and breach notification.
BAA available for healthcare organizations. Administrative, physical, and technical safeguards in place.
Information Security Management System aligned with ISO 27001 framework standards.
Defense in depth — every layer of our stack is hardened.
AES-256 encryption for stored data. TLS 1.3 for all data in transit. Zero plaintext storage of sensitive fields.
HSM-backed key management with automatic rotation. Customer-managed keys (BYOK) available on Enterprise.
Logical tenant isolation at the database level. Optional dedicated infrastructure for Enterprise customers.
Principle of least privilege enforced. MFA required for all internal access. Just-in-time privilege escalation.
Continuous SAST/DAST scanning. Third-party penetration tests conducted quarterly. Bug bounty program active.
24-hour incident response SLA. Runbook-driven procedures. Post-incident reviews shared with affected customers.
Hosted on SOC 2 certified cloud providers. Multi-region availability with automated failover and 99.99% uptime.
Background checks for all employees. Annual security awareness training. Endpoint detection and response on all devices.
Data is stored in SOC 2 certified data centers. Enterprise customers can select US, EU, or APAC regions for data residency compliance.
Active account data is retained for the duration of the contract. Upon termination, data is purged within 30 days. Backups are purged within 90 days.
Yes. Full data export is available at any time via the admin dashboard or API in standard formats (JSON, CSV). We never hold your data hostage.
Never for marketing. Sub-processors are vetted, contractually bound, and listed in our DPA. We notify customers of any sub-processor changes 30 days in advance.
Email [email protected]. We operate a responsible disclosure program and aim to acknowledge reports within 24 hours.
Submit your details below to receive our SOC 2 Type II report, Data Processing Agreement (DPA), or security questionnaire responses. We respond within 1 business day.