Certified & Secure – Data Protection at desk.ly

desk.ly meets all requirements of the European GDPR and is data protection compliant as an organization and software. We have tailored our product to the essential legal guidelines such as data protection through technology design with the appropriate default settings (Art. 25 EU GDPR) and support customers in exercising their rights as data subjects (right to erasure, information or data portability; Chapter 3 EU GDPR) and make appropriate adjustments.

Thanks to desk.ly's self-service approach, employees can also view their digital booking overview themselves at any time and anonymize their data, or more precisely their name. 

desk.ly is independently certified according to the ISO 27001 standard. This internationally recognized standard defines the effectiveness of information security management systems, ISMS for short, in organizations.


The certification gives you the certainty that your data is in good hands with desk.ly. It also facilitates compliance with your company's own security requirements. 

desk.ly relies on the services of Amazon Web Services (AWS) in Frankfurt to host the software. The data centers used are ISO/IEC 27001 certified and thus meet our high requirements for the physical security of our customers' data.

All customer data is stored on AWS services that follow a strict decommissioning policy described in their security whitepaper:
“AWS uses the techniques detailed in DoD 5220.22-M (”National Industrial Security Program Operating Manual “) or NIST 800-88 (”Guidelines for Media Sanitization“) to destroy data as part of the decommissioning process.”
For customized data, we will manually remove all identifiable accounting data associated with the account from our database upon request. Derived anonymized data (e.g. “total number of events booked on the platform this month”) will not be removed as it cannot be linked to the source data. User accounts of your company can also be removed upon request. We keep backups for 30 days, after which the data is no longer available.

At desk.ly you have the option of making bookings anonymously. There are two different options.

On the one hand, the admin can set that everyone can decide for themselves whether to book anonymously. On the other hand, the admin can set all employees to book completely anonymously.

We rely on the services of PROLIANCE GmbH for advice on data protection issues and support as a company data protection officer. 

PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich

If you have any questions about data protection at desk.ly, please contact datenschutz@desk.ly.

We maintain automated access and security protocols at multiple locations. All employees are required to use two-factor authentication and strong passwords that are different from those used by other services. Access to customer data is limited and only allowed to a small group of employees required for support and maintenance. Access is also restricted to a small whitelist of IP addresses via VPN and requires public key authentication.

Access for individual employees is on a “need to know” basis and access rights are reviewed on a quarterly basis.

Customer data is encrypted during transmission and “at rest”. All connections to desk.ly services are encrypted and provided via SSL/TLS 1.2+. You cannot access the service without using HTTPS. All certificates are verified on both sides by third-party providers. Data is encrypted every step of the way:

Applications → Amazon Web Services
REST request → desk.ly application layer
desk.ly application layer → SQL session
API response → Applications

At rest, customer data is encrypted with a key management system that automatically logs every access. In addition, passwords are both hashed and salted with one-way encryption, protecting them even in the unlikely event of unauthorized database access. Application credentials are stored separately from the code base. Clients authenticate themselves to desk.ly using a token system.

Each token has a specific range of access that can be revoked individually without affecting other users of the platform. Furthermore, in the event of a security incident, we can immediately invalidate tokens for the entire platform.