Security at nabudesk

This page describes the security controls and operating practices nabudesk uses to protect customer workspaces. It is our public trust overview and is separate from the in-app account security settings available after you sign in.

1. Security overview

nabudesk is built as a multi-tenant customer support platform with defense-in-depth controls across identity, application, infrastructure, and operations. We design for confidentiality, integrity, and availability of workspace data while giving customers administrative controls over their agents and configurations.

This page is informational and does not create warranties beyond those in our Terms of Service or a separately executed enterprise agreement.

2. Identity and access control

Access to customer workspaces requires authenticated sessions. We support strong authentication options including password policies, multi-factor authentication, recovery codes, and passkeys where enabled.

Role-based permissions and group scoping help limit what agents and administrators can view or change. Session management allows users to review and revoke active sessions from account security settings after sign-in.

  • Authenticated routes protected by session validation and CSRF protections on state-changing requests.
  • Least-privilege administrative roles for workspace and platform operations.
  • Security notifications for sensitive account events such as new sign-ins where configured.

3. Application security

We apply secure development practices including code review, dependency awareness, and environment separation for development and production systems.

Browser security headers, input validation, and authorization checks are used to reduce common web application risks. Public marketing and legal pages are intentionally accessible without authentication; product data routes are not.

4. Data protection

Customer data is protected with encryption in transit using TLS for supported connections. Access to production systems and operational tools is restricted to authorized personnel with a business need.

Backups and operational logs are handled according to retention and access policies designed to support recovery and investigation while limiting unnecessary exposure.

5. Infrastructure and hosting

nabudesk runs on reputable cloud infrastructure providers. We rely on provider controls for physical security, network isolation primitives, and platform availability, complemented by our own application-layer protections and monitoring.

Secrets and credentials are managed through environment configuration and operational controls rather than being embedded in client-facing code.

6. Monitoring and logging

We maintain application and security-relevant logging to support troubleshooting, abuse detection, and incident investigation. Audit-oriented records help customers and operators understand significant account and workspace activity.

7. Incident response

We maintain an incident response process for detecting, triaging, containing, and remediating security events. Where a personal data breach affecting customers is confirmed and notification is legally required, we will notify affected customers without undue delay and provide information reasonably available at the time.

8. Vendor and subprocessors

We use carefully selected subprocessors for hosting, email delivery, authentication support, observability, and billing. Vendors are reviewed for security and confidentiality obligations appropriate to the services they provide.

9. Shared responsibility

Security is shared. Customers control their agent roster, permissions, ticket content, retention choices, and outbound communications. Customers should:

  • Enable MFA for administrators and high-privilege users.
  • Review seats, groups, and permissions regularly.
  • Use strong unique passwords or passkeys and keep recovery methods current.
  • Avoid placing unnecessary sensitive secrets in ticket threads when safer channels exist.
  • Configure email and notification settings consistent with their compliance needs.

10. Compliance posture

Our Privacy Policy, Terms of Service, and Cookie Notice describe how we process data and the contractual boundaries of the service. Enterprise customers may request additional security review materials under NDA where available.

Customers remain responsible for determining whether nabudesk is suitable for their industry-specific regulatory obligations.

11. Vulnerability reporting

If you believe you have found a security vulnerability in nabudesk, contact [email protected] with enough detail for us to reproduce and assess the issue. Please avoid accessing or modifying data that is not yours and give us a reasonable opportunity to investigate before public disclosure.

12. Contact

For security questionnaires, incident notices, or trust reviews, contact [email protected]. For account-level MFA, passkeys, and session management after sign-in, use Account Security inside the product.