Security policy

The security of our platform is of the utmost importance to us. We created a set of rules for our users and ourselves (the security policy) to make sure our platform is well protected.

Overall:

  • OWASP proof

  • ISO27001 certification of our data center

  • We work conform the ISO27001 policy

  • Pentested by an external firm

Security measures for end-users (agents, supervisors and administrators):

  • Login through two factor authentication (email or sms)

  • Password requirements

  • Strong hashing of passwords

  • HTTPS encryption on all endpoints

  • Input validation on all endpoints

  • Permission whitelist per group

  • IP whitelisting

Security measures for Omnidesk staff:

  • Lock computer/terminal after use

  • VOG declaration (Dutch certificate of good behaviour)

  • Only EU staff can access EU prod environment (GDPR)

  • Admin always works trough VPN

  • VPN login based on certificate

  • VPN login IP whitelisted

  • Physical locks for spaces with computers

  • Named accounts for server access

  • Centrally managed accounts through LDAP

  • Activity logs of users on servers

  • Always use password manager

  • Only administrator staff have access to application servers

  • Internal communication servers through private network

  • OS always within support terms (preferably LTS)

  • Auto install of important security updates

  • Strict firewall whitelisting

  • Explain-requirement when software runs as root

  • Code-review of new code

  • Servers provisioned through scripts which are also code-reviewed

‚Äč