Security at DesksFlow

Your agency's data — and your clients' documents — are some of the most sensitive information you handle. Here's exactly how we protect them.

Last updated: June 14, 2026

Your data stays in India

DesksFlow's production database and file storage run on Amazon Web Services (AWS) in the Mumbai (ap-south-1) region. Your agency's data and your clients' documents are stored in India — they don't leave the country in normal operation.

Encryption everywhere

  • In transit: all traffic is encrypted with TLS (HTTPS).
  • At rest: the database and stored files are encrypted (AES-256) on AWS.
  • The database is never exposed publicly — access requires server-held secret keys.

Strict tenant isolation

DesksFlow is multi-tenant, with each agency isolated at the database level using PostgreSQL Row-Level Security (RLS):

  • No agency can ever access another agency's data.
  • Access is scoped to your agency on every query — enforced by the database, not just the UI.

Can DesksFlow staff see your clients?

No — and we've built it that way on purpose.

  • Our internal admin tools show only aggregate, billing-level information(your plan, usage counts) — never individual client names, emails, documents, or case notes.
  • DesksFlow is a software company. Our business is building this platform — and we are committed never to use your data to compete with you or to contact your clients.
  • We are contractually bound never to access, use, or solicit your clients — see our Data Processing Agreement.

Access controls

  • Role-based access — owners, admins, managers, and staff each see only what their role allows.
  • Email-OTP 2FA on irreversible actions like deleting an agency.
  • Optional verified-access portals — clients can be required to enter a one-time code emailed to them before opening a document-collection link.
  • Audit logging of sensitive activity.
  • Rate limiting and anti-abuse protection on public endpoints.

Document storage

Client documents (passports, statements, transcripts) are stored in private storage buckets — never publicly accessible. Files are served only through short-lived, authenticated links. Client-portal upload links are time-limited (you choose 7–90 days), revocable at any time, and can be protected with an email one-time code.

Backups & recovery

The database is backed up regularly so your data can be recovered in the event of an incident. Our hosting runs on AWS's highly-available infrastructure.

Sub-processors

We rely on a small set of trusted, enterprise-grade providers:

  • Supabase / AWS (Mumbai) — database, authentication, and file storage.
  • Vercel — application hosting.
  • Resend — transactional & client-facing email delivery.
  • Razorpay — payment processing for subscriptions.
  • Anthropic (Claude) — optional AI features (e.g. AI Import); used only when you choose to.

Each is contractually bound to protect your data. The full list is in our DPA and Privacy Policy.

Compliance posture

We build to align with India's Digital Personal Data Protection (DPDP) Act, 2023 and follow GDPR-aligned best practices. Our infrastructure providers (Supabase, AWS, Vercel) maintain certifications such as SOC 2 and ISO 27001, which our platform inherits at the infrastructure layer.

Incident response

In the unlikely event of a security incident affecting your data, we will investigate promptly and notify affected agencies without undue delay, along with the steps we're taking.

Questions or reporting an issue

Found a vulnerability or have a security question? Email security@desksflow.com — we take every report seriously.

DesksFlow is a product of Nadrel Technologies.