Overall:
OWASP proof
ISO27001 certification of our data center
We work conform the ISO27001 policy
Pentested by an external firm
Security measures for end-users (agents, supervisors and administrators):
Login through two factor authentication (email or sms)
Password requirements
Strong hashing of passwords
HTTPS encryption on all endpoints
Input validation on all endpoints
Permission whitelist per group
IP whitelisting
Security measures for Omnidesk staff:
Lock computer/terminal after use
VOG declaration (Dutch certificate of good behaviour)
Only EU staff can access EU prod environment (GDPR)
Admin always works trough VPN
VPN login based on certificate
VPN login IP whitelisted
Physical locks for spaces with computers
Named accounts for server access
Centrally managed accounts through LDAP
Activity logs of users on servers
Always use password manager
Only administrator staff have access to application servers
Internal communication servers through private network
OS always within support terms (preferably LTS)
Auto install of important security updates
Strict firewall whitelisting
Explain-requirement when software runs as root
Code-review of new code
Servers provisioned through scripts which are also code-reviewed