Deepdesk Security and Compliance
Below is a high level description of our security, compliance, and privacy standards.
To monitor the real-time status of our cloud infrastructure, endpoints, corporate procedures, enterprise risk, and employee accounts, visit https://trust.deepdesk.com/.
We use Google Cloud to support the deployment and management of our technology. You can read more about Google Cloud's security principles here: https://cloud.google.com/security/transparency. We also perform yearly penetration tests with trusted partners.The last pentest was performed in June 2022 by Fox-IT, a global cybersecurity expert and part of the NCCgroup.
Deepdesk is currently fully GDPR compliant and ISO-27001 compliant. By default we do not employ or share any algorithmic data with other AI services. No data is ever shared between tenants, and we do not use data without permission for generic models.
To meet compliance and privacy needs, we offer an extensive PII filter to anonymize customer data which performs with leading industry standards recognition rates. We employ state-of-the-art transformer based NER’s (entity recognition) such as Flair, as well as rule based filtering. Our infrastructure also falls within Google Cloud's privacy principles, which you can read about here: https://cloud.google.com/privacy/common-privacy-principles.
Cloud and Dedicated Environments
Deepdesk utilizes Google Cloud in Europe for the hosting and serving of our services and data storage, we do not employ or share any algorithmic data with the other AI services. No data is shared between tenants, and we do not use data without permission for generic models. By default we serve from the Google Cloud platform in Europe. As such, Deepdesk inherits the control environment which Google Cloud maintains and demonstrates via their ISO 27001 certification by EY
Our architecture enables ML models per brand, channel, or per organization. This means our tenants are able to configure Deepdesk on a global scale, with deployments per country, language, brand, or channels such as chat, messaging, or voice and manage this in one place with our Studio.
For large enterprise customers who need an extra level of security and data isolation to meet their specific compliance and regulatory needs, we offer a dedicated environment. This environment and its resources are completely dedicated and customized to your implementation needs. Each instance contains its own load balancers, public IP addresses, databases, VPC networks, VPN server, and Kubernetes cluster
Data and storage
As previously mentioned, we serve from the Google Cloud platform in Europe. We provide a multi-tenanted, cloud-based, SaaS solution, with strict data and network segregation per tenant. The architecture provides isolated tenant environments, with strict data and network segregation.
Full data access controls
We encrypt all data-at-rest and in transit. For an additional layer of security we can employ CMEK (Customer Managed Encryption Keys) on request. This ensures that you have full cryptographic control over who can access your data.
Using data and resource location policies, we can ensure that the creation of resources is limited to a region you define, and that your data never leaves the specified region. The default region in The Netherlands is ‘europe-west4’ (Eemshaven, Groningen), but any region supported by Google Cloud can be used.
Role and Access Model
We work with the roles and rights infrastructure of Google Workspace for logical access control, access control to data, data entry control, appropriation control, retention, and deletion of data. We use the integral functionality of the Enterprise Security Command Center including threat and intrusion detection and logging
The integrated Security Command Center allows for continuous compliance monitoring, access control monitoring, audit logs, and real-time notifications and remediation across the Deepdesk platform. Compliance monitoring enables realtime reporting to help ensure all our resources are meeting their compliance requirements with PCI-DSS compliance monitoring, CIS compliance monitoring, and Security Health Analytics according to ISO 27001.
Logging and auditing
All cloud components have mandatory audit logging enabled. This is enforced at the organization level and cannot be turned off. Audit logs cannot be deleted and/or changed. We use Security Command Center to alert us on any sensitive permission changes and/or security issues. All Deepdesk components produce detailed logging to track errors and provide insight into application performance.