Security & Trust
Security isn't a feature we bolt on — it's how AssistDesk is built. Here's the independent evidence and the standards we hold ourselves to.
Standards we build to
OWASP ASVS Level 2
We build and test to the OWASP Application Security Verification Standard, Level 2 — a recognized baseline for applications handling sensitive data. (Self-assessed.)
OWASP SAMM
We assess our software-development process against the OWASP Software Assurance Maturity Model and use it to keep maturing our security practices. (Self-assessed.)
How we protect your data
- Encryption everywhere — TLS 1.2+ in transit and encryption at rest.
- Enforced security headers — a strict Content-Security-Policy, HSTS (preload), and clickjacking/MIME protections.
- Passwordless authentication — magic links and OAuth 2.0; we never store passwords. Sessions use HttpOnly cookies with server-side revocation.
- Tenant isolation & least privilege — each organization's data is isolated, with role-based and domain-scoped administrative access.
- Privacy by default — limited data retention, self-service data export and deletion, Global Privacy Control honored, and no third-party advertising or analytics trackers.
- Continuous assurance — dependency and secret scanning on every change, and ongoing third-party scoring.
For how we handle personal data and who our sub-processors are, see our Privacy Policy and Sub-processors page.
Reporting a vulnerability
We welcome good-faith security research. If you believe you've found a vulnerability, please email [email protected] with steps to reproduce. We acknowledge reports within 2 business days and remediate by severity. Please don't run high-volume scans, denial-of-service, or access data that isn't yours.
Note: "self-assessed" means we evaluate ourselves against these OWASP standards as our internal baseline; they are not third-party certifications. The SecurityScorecard rating is produced independently by SecurityScorecard.