Security

Your data is safe with us

OrdoDesk is built on self-managed infrastructure with encryption, role-based access controls, and a clear commitment to data privacy.

HTTPS/TLS
Encrypted in transit
DPDPA Aligned
India data protection
Self-Hosted
No third-party cloud
Role-Based Access
Least privilege model
72hr Breach Notice
Incident response

Security across every layer

Data Encryption

  • All data transmitted over HTTPS/TLS 1.2+
  • Encryption at rest for sensitive data fields
  • Secure cookie handling with HttpOnly and SameSite flags
  • Password hashing using bcrypt with per-user salt
  • API tokens scoped and time-limited

Self-Hosted Infrastructure

  • All data stored on Mikestudio-managed servers
  • No primary reliance on third-party cloud providers (AWS, GCP, Azure)
  • Server access restricted to authorised Mikestudio personnel only
  • Regular OS and dependency patching
  • Automated daily encrypted backups with offsite redundancy

Access Control

  • Role-based access: Admin, Manager, Employee
  • Users can only access data within their organisational scope
  • Session expiry and forced re-authentication
  • Admin-controlled user provisioning and deprovisioning
  • Audit logs record all sensitive actions

Application Security

  • Input validation and output encoding throughout
  • Protection against SQL injection, XSS, and CSRF
  • Rate limiting on authentication and API endpoints
  • Dependency vulnerability scanning in CI/CD pipeline
  • Regular internal security reviews

Compliance & Privacy

  • Aligned with India's Digital Personal Data Protection Act (DPDPA) 2023
  • GDPR-aware design for international customers
  • Clear data retention and deletion policies
  • No sale or sharing of user data with third parties
  • Privacy Policy and Terms of Use publicly available

Incident Response

  • Defined incident response process with escalation paths
  • Affected organisations notified within 72 hours of a data breach
  • Root cause analysis and post-incident documentation
  • Coordinated vulnerability disclosure accepted at ordodeskadmin@gmail.com
  • System status publicly visible at ordodesk.com/status

Sub-processors

OrdoDesk shares limited data with the following third-party providers to deliver specific features. Each provider is contractually bound to handle data appropriately.

A
Agora
Purpose: Online meeting video infrastructure
Data shared: Participant identifiers, session metadata
B
Brevo
Purpose: Transactional email delivery
Data shared: User email addresses, notification content

Security questions

Where is my data stored?

All OrdoDesk data is stored on Mikestudio-managed servers. We do not use third-party cloud providers (AWS, GCP, Azure) for primary data storage.

Who can access my organisation's data?

Only authenticated users with appropriate roles within your organisation can access your data. Mikestudio personnel do not access organisational content except in limited technical support or security contexts, with appropriate authorisation.

What happens to my data when I cancel?

Your data is retained for 30 days after cancellation, during which you can request an export. After this grace period, all data is permanently and irreversibly deleted from our systems.

Do you offer a Data Processing Agreement (DPA)?

Yes. Enterprise customers can request a DPA at ordodeskadmin@gmail.com. We are committed to acting as a compliant data processor under applicable law.

How do I report a security vulnerability?

Please send a detailed report to ordodeskadmin@gmail.com with "Security Disclosure" in the subject line. We aim to acknowledge all reports within 48 hours and resolve confirmed vulnerabilities within 30 days.

Have a security concern?

Contact our team directly — we take every report seriously.

ordodeskadmin@gmail.com