Security policy
The security of our platform is of the utmost importance to us. We created a set of rules for our users and ourselves (the security policy) to make sure our platform is well protected.
Overall:
- OWASP proof
- ISO27001 certification of our data center
- We work conform the ISO27001 policy
- Pentested by an external firm
Security measures for end-users (agents, supervisors and administrators):
- Login through two factor authentication (email or sms)
- Password requirements
- Strong hashing of passwords
- HTTPS encryption on all endpoints
- Input validation on all endpoints
- Permission whitelist per group
- IP whitelisting
Security measures for Omnidesk staff:
- Lock computer/terminal after use
- VOG declaration (Dutch certificate of good behaviour)
- Only EU staff can access EU prod environment (GDPR)
- Admin always works trough VPN
- VPN login based on certificate
- VPN login IP whitelisted
- Physical locks for spaces with computers
- Named accounts for server access
- Centrally managed accounts through LDAP
- Activity logs of users on servers
- Always use password manager
- Only administrator staff have access to application servers
- Internal communication servers through private network
- OS always within support terms (preferably LTS)
- Auto install of important security updates
- Strict firewall whitelisting
- Explain-requirement when software runs as root
- Code-review of new code
- Servers provisioned through scripts which are also code-reviewed
Last modified 4yr ago