Security

1. Encryption

All data transmitted between your device and NetDesk is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced, ensuring your browser will only ever connect to NetDesk over an encrypted connection. Data stored in our systems is encrypted at rest using AES-256, applied by Supabase across all stored data including your account details, session records, and booking information.

Remote support sessions use Zoho Assist's encrypted connection. You must explicitly authorise each session — technicians cannot connect to your device without you first running the Zoho Assist client and accepting the connection request.

2. Access controls

Access to your account is protected by strong password requirements — minimum 12 characters, including uppercase, lowercase, numbers, and special characters. Passwords are hashed by Supabase's authentication service using bcrypt and are never stored or accessible in plain text. NetDesk staff cannot view your password under any circumstances.

Authenticated sessions automatically expire after one hour of inactivity. Cross-site request forgery (CSRF) protection is enforced on all form submissions and authenticated API calls using a double-submit cookie pattern with timing-safe token comparison.

Internally, NetDesk operates on a least-privilege model. Staff access to production systems is restricted to what is strictly necessary for their role, and all administrative actions are audit-logged.

3. Infrastructure

NetDesk is hosted on Vercel's global edge network and backed by Supabase (PostgreSQL) for data storage. Both providers maintain SOC 2 Type II certification and operate under Standard Contractual Clauses for international data transfers.

Rate limiting is enforced on all public-facing API endpoints via Upstash Redis to protect against brute-force and denial-of-service attempts. Bot detection and suspicious traffic analysis run on every incoming request at the edge.

Security headers are applied to all responses, including Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy (camera, microphone, and geolocation access are explicitly disabled).

4. Incident response

In the event of a security incident that affects your personal data, we will notify you as soon as practicable after becoming aware of the breach, in accordance with the Australian Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme. We will also notify the Office of the Australian Information Commissioner (OAIC) as required.

If you believe you have discovered a security vulnerability in our systems, please report it to us at security@netdesk.au. We will acknowledge your report within 2 business days and keep you informed as we investigate. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We will not take legal action against researchers who report in good faith.