Security

Your client data is yours.
And it's locked.

Every file, message, and form submission in Desk FT is encrypted at rest and in transit. Here's exactly how we handle it.

AES-256 encryption at rest TLS 1.3 in transit GDPR-compliant No AI training on your data

Encryption

All data stored in Desk FT is encrypted at rest using AES-256. All data in transit between your device and our servers is encrypted using TLS 1.3. File uploads are stored in encrypted object storage and served only via time-limited signed URLs.

Infrastructure

Desk FT is built on Supabase, hosted on AWS. Data is stored in the region closest to you. Row-level security policies ensure that each operator can only access their own workspaces, desks, and client data — enforced at the database layer, not just the API.

Authentication

Passwords are hashed using bcrypt. We support Sign in with Apple and Sign in with Google as passwordless alternatives. Sessions use short-lived JWT access tokens with automatic refresh. Invites are single-use tokens that expire after 72 hours.

Data isolation

Every workspace is fully isolated. A client invited to one desk can only see that desk — not other desks in the same workspace, not other workspaces. Operators cannot see data from other operators' workspaces under any circumstances.

Data handling policies

We don't train on your data

Your files, forms, timelines, and checklist items are never used to train AI models — ours or anyone else's. This is a hard commitment, not a preference setting.

GDPR compliance

We provide data export (full desk as ZIP) and honour deletion requests. You're the data controller for the content in your workspaces; we act as your processor (and are the controller only for account & platform data). See the Privacy Policy for who to ask for what.

Export & delete your data

Every desk exports as a ZIP file containing all files, timeline items, form responses, and checklist data. Deleting your account removes the workspaces you own and your account data — live data within 30 days, encrypted backups rolling off within 90. Content you added to someone else's workspace is de-identified and kept by that owner, who controls it.

No third-party data selling

We don't sell, rent, or share your data with third parties for advertising or analytics purposes. Sub-processors (Supabase, Firebase for push notifications) are listed in our Privacy Policy.

Security concern, responsible disclosure, or compliance question?

[email protected]

Your client data is in good hands.

Free for your first two desks. No card required.

Start free → Privacy policy