// Trust · Security & compliance

Audited. Attested. Renewed yearly.

The technical and organizational measures NEXDESK uses to protect customer infrastructure and data, plus the audit reports and certifications that back them up.

SOC 2 Type II Continuous since 2020 ISO/IEC 27001:2022 Certified PCI DSS v4.0 Service Provider Level 1 HIPAA BAA available
Reports under NDA
SOC 2 Type II
Latest report covers 2025-04-01 → 2026-03-31. Auditor: Schellman & Co. Email trust@nexdesk.com with your account ID and the NDA you'd like us to sign.
Certifications
ISO 27001 · 27017 · 27018
Annually renewed. Certificates and statements of applicability available on request — and listed in the Schellman registry.
Penetration testing
Twice a year
Independent pentest of the control plane and customer-facing surfaces by Bishop Fox. Executive summary available under NDA.

Identity & access management

  • Phishing-resistant MFA (WebAuthn / FIDO2) is mandatory for every NEXDESK employee with production access. SMS and TOTP are not accepted.
  • Customer accounts may enable WebAuthn, TOTP, or hardware-token MFA. WebAuthn is the recommended factor and powers 78% of customer logins as of 2026-Q1.
  • Just-in-time access elevation: production credentials are issued for a maximum of 4 hours, with peer approval and full audit trail.
  • SSO via SAML 2.0 and OIDC for enterprise plans. SCIM 2.0 provisioning supported.
  • Default password policy enforces ≥ 12 characters, breached-password screening, and per-account rate limiting.

Encryption

  • In transit: TLS 1.3 with modern cipher suites only. HTTP redirects to HTTPS but is unauthenticated.
  • At rest (managed volumes): AES-256-XTS at the storage layer; keys per-tenant; HSM-backed root.
  • Backups: AES-256-GCM with separate KEK rotated quarterly.
  • Hardware root of trust: TPM 2.0 on every server; Secure Boot enforced on managed images.
  • Confidential computing: Intel TDX available on selected SKUs for tenants requiring memory encryption + remote attestation.

Network security

  • BCP38 egress filtering on every customer port; spoofed traffic is dropped before it reaches transit.
  • RPKI origin validation enforced inbound and outbound; we drop invalids without exception.
  • 3.5 Tbps DDoS mitigation always-on, no scrubbing fees — see the DDoS page.
  • Per-tenant private network (VLANs / VXLAN) isolates east-west traffic; leakage tested in every release.
  • Out-of-band management on its own physical fabric, IP-allowlisted to NEXDESK admin networks.

Application & platform security

  • SDLC: peer-reviewed PRs, automated static analysis (Semgrep, CodeQL), dependency scanning (osv-scanner), IaC scanning (Checkov, tflint).
  • Container images are built from minimal distroless bases and signed with cosign. Deployments verify signatures via Kyverno.
  • Production secrets live in HashiCorp Vault with short-lived dynamic credentials; no long-lived static credentials in CI.
  • SBOMs published per release in CycloneDX format.
  • Vulnerability management: critical CVEs patched within 24 h, high within 7 days, medium within 30 days.

Physical security

  • All datacenters are Tier III+ (Uptime Institute) with biometric access, mantraps, two-person-rule cage entry, and 24×7 onsite staff.
  • Customer cabinet access requires advance authorization, photo ID, and is escorted unless prior unescorted-access approval is on file.
  • Decommissioned drives are physically destroyed onsite (NIST 800-88 Purge / Destroy). Certificates of destruction available.

Personnel

  • Background checks on hire (criminal, employment, education) where local law permits.
  • Annual security and privacy training; phishing simulation each quarter.
  • Acceptable-use, confidentiality, and code-of-conduct policies acknowledged at hire and annually.
  • Access removed within 4 hours of role change or termination; verified via automated reconciliation against the HRIS.

Incident response

  • 24×7 on-call rotation with 5-minute pager SLA, < 15 minute first-engineer-on-bridge target.
  • Severity-based runbooks; severity 1 incidents trigger a CEO-paged bridge.
  • Customer notification within 48 hours of confirmed Personal Data Breach (faster where law requires) — see DPA.
  • Public retrospectives within 5 business days for any customer-impacting incident — see RFO archive.

Vendor & sub-processor management

  • All sub-processors undergo security review and execute a DPA before onboarding.
  • Annual reassessment of high-risk sub-processors against ISO 27001 / SOC 2.
  • Current sub-processor list: DPA §6.
  • 30-day advance notice of additions or replacements via processors@nexdesk.com.

Coordinated vulnerability disclosure

If you find a vulnerability in NEXDESK infrastructure, please report it. We commit to acknowledge within 24 h, triage within 72 h, and not take legal action against good-faith research that follows our policy.

  • Email: security@nexdesk.com (PGP key fingerprint published in nexdesk.com/.well-known/security.txt)
  • Scope and reward tiers: nexdesk.com/security/vdp
  • Hall of fame: nexdesk.com/security/thanks

Compliance crosswalk

FrameworkStatusEvidence
SOC 2 Type II (Trust Services Criteria)ContinuousAuditor report, available under NDA
ISO/IEC 27001:2022CertifiedCertificate + Statement of Applicability
ISO/IEC 27017CertifiedCloud-services controls
ISO/IEC 27018CertifiedPII in public clouds
PCI DSS v4.0Service Provider Level 1AoC, available under NDA
HIPAA / HITECHBAA availableEligible regions: DAL, ASH, FRA, SGP
GDPR / UK GDPRCompliantDPA + SCCs + UK IDTA
CCPA / CPRACompliantService-provider terms
FedRAMPIn progress (Moderate)Authorization expected 2027-Q1
CSA STAR Level 2SubmittedCAIQ on request

Need something else? Send the questionnaire to trust@nexdesk.com and we'll usually return it within 5 business days.