# Security policy

Overall:

* Omnidesk is ISO27001 certified
* Our datacenter is ISO27001 certified
* Pentested 
* OWASP proof

Security measures for end-users (agents, supervisors and administrators):

* Login through two factor authentication (email or sms)
* Password requirements
* Strong hashing of passwords
* HTTPS encryption on all endpoints
* Input validation on all endpoints
* Permission whitelist per group
* IP whitelisting

Among security measures for Omnidesk staff are:

* Lock computer/terminal after use
* VOG declaration (Dutch certificate of good behaviour)
* Only EU staff can access EU prod environment (GDPR)
* Admin always works trough VPN
* VPN login based on certificate
* VPN login IP whitelisted
* Physical locks for spaces with computers
* Named accounts for server access
* Centrally managed accounts through LDAP
* Activity logs of users on servers
* Always use password manager
* Only administrator staff have access to application servers
* Internal communication servers through private network
* OS always within support terms (preferably LTS)
* Auto install of important security updates
* Strict firewall whitelisting
* Explain-requirement when software runs as root
* Code-review of new code
* Servers provisioned through scripts which are also code-reviewed