Security is a feature, not an afterthought.
Accounting firms handle the most sensitive information their clients have. DigitalDesk is built from the ground up to protect it — with the transparency you need to verify our claims.
Last updated: April 1, 2026
Six pillars of our security posture
Each pillar is documented, monitored, and reviewed. No marketing-speak — just the controls.
Encryption everywhere
TLS 1.3 for every byte in transit. AES-256-GCM at rest with per-tenant envelope keys rotated on a 90-day cycle.
Hardened authentication
Argon2id password hashing, short-lived JWT sessions, optional TOTP/WebAuthn MFA, and IP-aware session logging.
Role-aware access
Least-privilege access controls across administrations, document queues, and admin tools. Every permission check is audited.
Full audit trail
Every action — upload, extraction, override, export — is recorded with actor, timestamp, and IP. Exports available to admins on demand.
EU-first infrastructure
Hosted on ISO 27001-certified EU data centres. Customer data does not leave the EEA by default.
Responsible disclosure
We welcome security research. Coordinated disclosure via security@digitaldesk.app with a 90-day patch window before public write-up.
Operational practices
What happens behind the scenes — day in, day out.
Vulnerability management
Automated dependency scanning on every commit, weekly container rebuilds, and monthly penetration testing against staging.
Access review
Internal access to production is reviewed quarterly. All operator access is time-bound, just-in-time, and logged.
Backups and recovery
Encrypted, point-in-time backups with a 30-day retention and documented recovery runbooks tested semi-annually.
Secure SDLC
Mandatory code review, branch protection, signed commits, and required passing CI (lint, tests, type-check) before merge.
Incident response
On-call rotation with a 15-minute acknowledgement SLA for high-severity incidents. Customer notification within 72 hours for confirmed data-affecting events.
Compliance roadmap
Aligned with GDPR today. ISO 27001 audit scheduled Q3 2026. SOC 2 Type II in scope for 2027.
Found a vulnerability?
We treat researchers as partners. Coordinated disclosure with a 90-day patch window — and credit in our security acknowledgements.
security@digitaldesk.app