Security Policy & Infosec

The purpose of this document is to describe our security standards and practices to ensure your data is safe at rest and in transit.

Server Security

typedesk servers are managed by DigitalOcean, and replicated accross several regions for a lower latency and high redundancy. DigitalOcean’s infrastructure is continually maintained following internationally recognized security controls. The infrastructure is monitored 24/7/365 and undergo third-party audits as well targeted testing annually. For physical security, each of our data center colocation providers maintain industry-recognized certifications and our networks are MANRS certified. Access to our servers is passwordless and each computer holding an SSH-key is disk-encrypted with biometric authentication.

Database & Backups

Your data security and privacy is our first priority. That's why our database is managed by DigitalOcean to ensure high availability and data security. Your data is replicated accross several regions. Backups of customer managed database instances are taken and stored off-site daily. They are encrypted while stored to prevent unauthorized access to customer database data without the required decryption keys. Managed Database customer instances connection occur over TLS/SSL, which provides encryption of traffic in transit between the customer applications and the customer managed databases.


typedesk does not log your keystrokes in the background, and the data that you store in the dynamic fill-ins is never sent to our servers. All personal data is transmitted through secure layer protocols (HTTPS), and hosted on providers offering the highest level of security and certification.


Our web-application and database servers are behind a Firewall with advanced security mechanisms managed by Cloudflare, preventing DDoS attacks, code injection and malicious exploits.

Physical Security

Every data center we use implements controls that ensure physical access to the facilities, backup data, and other system components such as virtual systems and servers is restricted. The following list is an example of controls DigitalOcean and its data centers maintain for server security:

Biometric, proximity card, and/or personal identification number (PIN) reader systems (varies by data center facility) used to restrict data center access to only those individuals provisioned with access; the systems are also used to monitor, log, and notify personnel of physical security alarms.

Maintain monitoring mechanisms over infrastructure to check server performance, data, traffic, and load capacity.

Detect and route issues experienced by hosts in real time and employ orchestration tooling that has the ability to regenerate hosts.

Third parties provide a certificate of destruction upon destruction of physical production assets maintained in the collocated data centers.

Documented logical access policies and procedures to guide personnel in information security practices that include, but are not limited to: password requirements, acceptable use, access provisioning, and access termination

Password management

typedesk's policy regarding password management enforces the use of unique random passwords, protected and encrypted by a password manager. 2-factor authentication is required when available.

Vulnerability testing

Web application security is evaluated by the development team in sync with the application release cycle and industry standards. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production.

Incident Response Policy

Policy Statement:

This Incident Response Policy outlines the procedures and guidelines to be followed by our organization in the event of a security incident or personal information data breach. The policy aims to ensure a prompt, effective, and organized response, minimizing the impact of incidents and safeguarding our systems, networks, and data.

1. Incident Identification and Reporting:

  1. All employees and contractors must promptly report any suspicious or abnormal activities, potential security incidents, or personal information data breaches to the designated incident response team or the IT department.
  2. Incident reports should include details such as the nature of the incident, date, time, location, systems or data affected, and any other relevant information.

2. Incident Response Team (IRT):

  1. The organization will maintain an incident response team comprising individuals from relevant departments, including IT, legal, human resources, and management.
  2. The IRT will be responsible for coordinating and executing incident response activities, ensuring adherence to this policy, and communicating with stakeholders.

3. Incident Response Process:

  1. The IRT will promptly assess reported incidents to determine their severity, impact, and required actions.
  2. Appropriate containment, eradication, and recovery measures will be implemented to mitigate the incident and prevent further damage.
  3. The IRT will collaborate with internal and external resources, as necessary, to investigate incidents and identify their root causes.
  4. Once the incident is resolved, the IRT will conduct a post-incident review to analyze lessons learned and identify improvements to prevent similar incidents in the future.

4. Communication and Notification:

  1. The IRT will ensure clear and timely communication with relevant stakeholders, including management, affected individuals, legal authorities, regulatory bodies, and, if necessary, media outlets.
  2. The organization will adhere to applicable laws, regulations, and contractual obligations regarding incident notification and disclosure requirements.

5. Training and Awareness:

  1. Regular training and awareness programs will be conducted to educate employees about incident reporting procedures, their roles and responsibilities, and best practices for maintaining information security.
  2. Employees will be encouraged to report any security concerns, potential vulnerabilities, or process improvement suggestions to the IRT.

6. Policy Review:

  1. This incident response policy will be periodically reviewed and updated to align with emerging threats, industry best practices, and regulatory requirements.
  2. Updates will be communicated to all relevant employees, and necessary training will be provided to ensure continued compliance.

By adhering to this incident response policy, our organization aims to maintain a secure environment, effectively respond to incidents, and protect the confidentiality, integrity, and availability of our systems, networks, and personal information data.