Frequently asked questions
about security
Here you'll find answers to the most common questions we receive from IT departments, security managers and procurement teams during security reviews and due diligence.
Hosting and infrastructure
Where is MyDesk hosted?
MyDesk is delivered as a cloud-based SaaS solution in Microsoft Azure. Data is processed and stored within the EU/EEA, and the documentation describes Microsoft Ireland Operations as an approved sub-processor for hosting the application and databases.
Is MyDesk a SaaS solution?
Yes, you can. MyDesk is delivered as a fully cloud-based SaaS solution with no on-premise components required for normal delivery.
How are production and testing separated?
Production and testing take place in separate environments. If production data is exceptionally used in testing, it is described that the test environment must be subject to corresponding data protection obligations.
What are your recovery goals?
In SLA material reviewed, RPO and RTO are set to up to 24 hours. Final targets follow the specific customer agreement and service setup.
Do you have a break-glass procedure?
Yes, you can. MyDesk describes a documented break-glass procedure for identity or access breaches so that critical access can be restored in a controlled manner in emergency situations.
Identity and access management
Does MyDesk support Microsoft Entra ID?
Yes, you can. MyDesk supports Microsoft Entra ID as central identity and access management and can use Single Sign-On via Entra ID.
Does MyDesk support SSO and MFA?
Yes, you can. Single Sign-On is supported via Microsoft Entra ID and MFA can be enforced via customer identity policies. MyDesk also supports passwordless scenarios when configured in Entra ID.
What authentication protocols does MyDesk use?
MyDesk describes the use of OpenID Connect and OAuth 2.0 as core authentication mechanisms. In some customer requirements, SAML 2.0 is also accepted as an alternative where applicable.
Do you use shared accounts?
No. MyDesk describes that shared user accounts are not used and that access is based on unique identities so that administrative actions can be tracked.
How are access rights handled?
MyDesk supports role-based access management and the least privilege principle. Administrative changes and access rights are periodically reviewed and included in the audit trail.
Can MyDesk enforce Conditional Access?
MyDesk supports customer Conditional Access policies through integration with Microsoft Entra ID, including policies for location, device compliance, risk and MFA.
Data protection and encryption
Is data encrypted?
Yes, you can. MyDesk describes encrypting data in transit and at rest as part of the security design, with TLS in transit and Azure standards for encryption at rest.
What personal data does MyDesk typically process?
It depends on the activated modules, but the material typically describes common user information such as name and email address as well as data related to booking, guest registration and meeting management.
Does MyDesk enter into a data processing agreement?
Yes, you can. MyDesk enters into data processing agreements with customers and supports GDPR-related requirements, including Articles 28, 32 and 33.
Compliance and documentation
Can customers get documentation of your safety work?
Yes, you can. Upon request, MyDesk can provide relevant documentation such as DPA, NIS2 statement, ISAE 3402 statement and relevant incident response and vulnerability management statements.
Does MyDesk have an ISAE 3402 Statement?
Yes, you can. MyDesk refers to an updated ISAE 3402 Type 2 statement with annual audit.
Is MyDesk ISO 27001 certified?
The material reviewed describes compliance with the principles and recommendations of ISO 27001. If a specific certification status is required, it should be stated separately on the page or upon request.
Can customers audit MyDesk?
Yes, you can. The material describes the possibility of documentation, audit statements and in some cases additional audits or inspections according to the contractual basis.
Security incidents and monitoring
How does MyDesk handle security incidents?
MyDesk has a documented incident response process with monitoring, triage, escalation, remediation, customer communication and final evaluation. There are defined roles for coordination, engineering, support and management.
When are customers informed of a security incident?
In the NIS2 statement, MyDesk describes an early warning model with notification within 24 hours of knowledge of an incident, status update within 48 hours and final report typically within a month. Agreement-specific deadlines may be stricter.
How does MyDesk work with vulnerabilities?
MyDesk describes continuous vulnerability monitoring via Microsoft security bulletins, automatic scans in Azure and notifications from suppliers. Critical vulnerabilities are handled on a priority basis.
Do you keep logs of administrative actions?
Yes, you can. Administrative actions, permission changes and configuration changes are audit logged and can be used for traceability and follow-up.
How long are logs stored for?
MyDesk states that log data is stored for a minimum of 30 days in the MyDesk environment.
Can logs be exported to customer SIEM?
Yes, you can. MyDesk describes the possibility of exporting operational and security logs to the customer's SIEM, including Microsoft Sentinel, in relevant deliveries.
Backup and restore
How does MyDesk handle backup?
MyDesk describes minimum daily backup and retention of at least 30 days. More recent material also refers to Azure Backup and Azure SQL point-in-time restore with minimum 35 days retention.
Integrations and application security
Does MyDesk support Microsoft Graph?
Yes, you can. MyDesk integrates with Microsoft 365 and Exchange Online via documented Microsoft Graph APIs and least-privilege delegated permissions.
Does the integration require global admin rights?
MyDesk describes that the solution should not require global administrator rights as a permanent operating model. However, in certain onboarding scenarios, an initial approval in the customer tenant may be required.
Can MyDesk be used with Outlook?
Yes, you can. The material describes access via Outlook for web and desktop and Microsoft 365 integration. In relevant deliverables, mobile access and near real-time synchronization are also supported.
How is customer segregation ensured?
MyDesk describes logical isolation between customers so that data, configuration and access rights are not shared across.
Sub-processors and customer responsibility
Who is your central sub-processor?
In the material reviewed, Microsoft Ireland Operations is listed as an approved sub-processor for application and database hosting.
How are changes in sub-processors notified?
The data processing agreements describe a notice period of at least one month for planned changes so that the customer can object before the change takes effect.
What is the customer's own responsibility?
Among other things, the Customer is responsible for correct user administration, own identity policies, correct master data, local processes and the part of the infrastructure or third-party ecosystem that is outside MyDesk's direct operational responsibility.
What channels are used for security questions or incidents?
MyDesk uses support@mydesk.io and telephone +45 5191 4488 as security and incident channels during normal working hours (weekdays 08.00-17.00 CET). Extended P1 support can be agreed depending on the customer's service setup.
Do you have any questions?
Contact our Security Team directly - we answer security, compliance and documentation questions quickly and accurately.
