Security

Security is foundational to Central Desk — your conversations contain some of the most sensitive customer data your business has. Here's exactly how we protect it.

Infrastructure

• Hosted on enterprise-grade cloud (AWS Singapore + Mumbai regions)
• Geographic redundancy — failover within 60 seconds in case of region outage
• Cloudflare in front of all traffic — DDoS mitigation up to 100 Gbps
• Private VPC, no public database access
• Web Application Firewall (WAF) blocks SQL injection, XSS, path traversal attempts

Encryption

• In transit: HTTPS/TLS 1.3 enforced everywhere. HSTS preload list registered.
• At rest: AES-256 disk encryption on all storage
• Channel credentials: Individually encrypted with workspace-specific keys
• Passwords: bcrypt hashing (12 rounds) — never stored or transmitted in plain text
• Backups: Encrypted with separate keys from production

Access control

• Role-based permissions inside each workspace (Owner / Admin / Agent / Viewer)
• Strict workspace data isolation — queries always scoped to workspace_id
• Two-factor authentication available (TOTP — Google Authenticator, Authy)
• SSO / SAML 2.0 on Enterprise plans
• Audit logs of every admin action (90-day retention, 12 months on Enterprise)
• Central Desk staff cannot read your conversations without your explicit permission

Application security

• CSRF tokens on every state-changing request
• SQL injection protection (parameterized queries everywhere)
• XSS protection (output escaping by default, CSP headers)
• Rate limiting on auth endpoints + API
• Session expiry after 7 days of inactivity
• Password complexity rules enforced
• Failed-login lockout after 5 attempts

Backups & disaster recovery

• Daily encrypted backups, retained 30 days
• Continuous WAL streaming to standby region (15-minute RPO)
• Quarterly disaster recovery drills
• RTO target: 4 hours for full region failover

Personnel security

• Background checks on all team members
• Confidentiality agreements signed by every employee + contractor
• Mandatory annual security training
• Principle of least privilege — staff access is logged and time-limited
• Immediate access revocation on offboarding

Compliance & certifications

• SOC 2 Type II: Audit underway, target completion Q3 2026
• ISO 27001: Planned 2027
• NBR compliance: Mushak 6.3 invoicing built-in
• Meta Business Solution Provider (BSP): Approved partner
• Data residency: Bangladesh option available for Enterprise

Responsible disclosure

Found a security vulnerability? Please report it responsibly — we appreciate every report and respond within 24 hours.

• Email: security@centraldesk.io
• PGP key: Available on our security.txt at /.well-known/security.txt
• Bug bounty: Rewards from ৳5,000 to ৳200,000 depending on severity. Hall of Fame at /security/hall-of-fame.

Sub-processors

We maintain a public list of all sub-processors at /security/sub-processors. Notable ones include AWS, Cloudflare, OpenAI, Anthropic, SSLCommerz, and Meta (for WhatsApp Cloud API).