Security Controls
DeviceDesk implements comprehensive security controls to protect your data and ensure compliance with marketplace requirements.
Encryption at Rest
All data stored in our systems is encrypted using AES-256 encryption. This includes order data, inventory information, customer details, and all other sensitive information. Encryption keys are managed separately from the data they protect.
TLS in Transit
All data transmission between your systems and DeviceDesk uses TLS 1.2 or higher. This ensures that data in transit is protected from interception and tampering. We maintain strong cipher suites and regularly update our TLS configuration.
Secrets Management
API keys, OAuth tokens, and other sensitive credentials are stored in a secure secrets management system. Credentials are never stored in plain text and are encrypted with separate keys. Access to secrets is logged and audited.
Backup & Retention Policy
Regular automated backups are performed to ensure data availability and recovery. Backups are encrypted and stored in geographically distributed locations. We maintain a comprehensive retention policy that aligns with marketplace requirements and business needs.
Logging & Monitoring
Comprehensive logging and monitoring systems track all system activities, access attempts, and data modifications. Real-time alerts notify our security team of any suspicious activities. Logs are retained according to our retention policy.
Incident Response
We maintain a documented incident response plan to quickly address any security issues. Our team is trained to identify, contain, and remediate security incidents. We provide timely notifications to affected customers in the event of a security incident.
Vulnerability Management
Regular security assessments and vulnerability scans are performed on our infrastructure and applications. We maintain a patch management process to quickly address identified vulnerabilities. Third-party security audits are conducted regularly.
Credential Policies
Strong password policies are enforced for all user accounts. Multi-factor authentication (MFA) is available and recommended for all users. API credentials are rotated regularly, and we support OAuth 2.0 for secure marketplace connections.
Data Retention & Deletion Policy
The following table outlines our data retention and deletion policies for different data types:
| Data Type | Retention Period | Deletion Policy |
|---|---|---|
| Order Data | 7 years from order date | Automated deletion after retention period. Export available before deletion. |
| Inventory Data | Active while account is active | Deleted within 30 days of account closure. Export available. |
| Shipping Labels & Tracking | 5 years from shipment date | Automated deletion after retention period. Required records maintained per carrier requirements. |
| Customer PII | As required by marketplace agreements | Deleted upon request or per marketplace requirements. Minimum 1 year retention for compliance. |
| API Credentials & Tokens | Active while connection is active | Immediately revoked and deleted upon disconnection or account closure. |
| Audit Logs | 3 years from log date | Automated deletion after retention period. Critical security logs retained longer. |
| Backup Data | 90 days from backup date | Automated deletion after retention period. Encrypted backups stored separately. |
Note: Data deletion requests can be submitted through our support team. We comply with all applicable data protection regulations including GDPR and CCPA requirements.
Multi-Tenant Data Isolation
DeviceDesk uses a multi-tenant architecture with complete data isolation:
- Each client has a separate database instance
- No data sharing between clients
- Role-based access controls prevent unauthorized access
- All queries are scoped to the authenticated client's data
- Regular audits ensure isolation integrity
Compliance Certifications
DeviceDesk is designed to meet the security and compliance requirements of major marketplaces:
- Amazon SP-API security requirements
- PCI DSS compliance for payment data handling
- GDPR compliance for EU data protection
- CCPA compliance for California privacy requirements
- Regular third-party security assessments