Skip to content
Book a demo

Customer data protection and security are the foundations on which TalentDesk’s products and services are built. The trust our clients place in us with their data is treated as our highest priority.

Our practices are based on the legal framework of the European and UK General Data Protection Regulation (GDPR) and align with common standards and guidelines such as SOC 2.

Compliance and Certifications

TalentDesk maintains an information security programme designed to align with industry-recognised standards and applicable data protection law.

  • SOC 2 Type I — TalentDesk is SOC 2 Type I compliant. Our current SOC 2 report is available to customers and prospective customers on request under a non-disclosure agreement (NDA).
  • GDPR and UK GDPR — We process personal data in accordance with the EU GDPR and the UK GDPR. Further detail is available in our Privacy Notice.

1. Data Protection

Data Storage

TalentDesk stores its data in Amazon Web Services (AWS) facilities in the UK and the USA. AWS data centres are independently audited against leading security standards, including SOC 1, SOC 2, ISO 27001, and PCI DSS.

Data Ownership

The customer is and remains the owner and controller of the data within the meaning of Article 24 EU GDPR. In particular, this means that the customer is responsible for respecting the rights of data subjects (Chapter 3 of EU GDPR).

TalentDesk is the data processor and processes its customer’s data exclusively at the customer’s instruction and for the purposes laid down in the data processing agreement.

Sub-processors

Where TalentDesk engages third-party sub-processors to assist in delivering the service, each sub-processor is bound by written terms that impose data protection obligations no less protective than those in our agreement with our customers. A current list of sub-processors is available on request to legal@talentdesk.io.

Data Retention and Deletion

Customer data is retained for as long as the customer’s account remains active and for any period thereafter required to meet legal, accounting, or reporting obligations. On contract termination, customer data is deleted in accordance with the timeframes set out in our data processing agreement.

2. User Protection

Single Sign-On (SSO)

TalentDesk supports SAML-based Single Sign-on (SSO), which allows you to authenticate users in your own identity provider without requiring them to enter additional login credentials.

Multi-Factor Authentication (MFA)

Multi-factor authentication is available on the Platform and can be used in conjunction with SSO to provide an additional layer of authentication for users accessing TalentDesk.

Password and Session Management

For customers who do not use SSO, the Platform enforces password complexity requirements and protections against brute-force attacks. User sessions are managed using short-lived, signed tokens with appropriate expiry to limit the impact of token compromise.

3. Network and Application Security

Encryption in Transit

TalentDesk uses 256-bit encryption for all communications between the customer’s browser and our front-end and back-end services using HTTPS (TLS). The use of an encrypted communication channel ensures the service is protected against man-in-the-middle (MitM) attacks.

HTTPS also ensures the protection of the privacy and integrity of the exchanged data. The bidirectional encryption of communications between a user and the Platform protects against eavesdropping, tampering with, and forging of the contents of the communication. In practice, this provides a reasonable guarantee that a user is communicating with the intended website (as opposed to an impostor) and that the contents of communications between the user and Platform cannot be read or forged by a third party.

Encryption at Rest

Customer data, including database contents, file storage, and backups, is encrypted at rest using AES-256 encryption with keys managed through AWS Key Management Service (KMS). Encryption is applied by default to all storage volumes that hold customer data.

Backups and Monitoring

To ensure data consistency and integrity, our system performs daily automated backups of our database via the Amazon Relational Database Service (RDS). All backups are encrypted and stored within AWS.

Our platform is deployed using a multi-availability-zone (Multi-AZ) configuration with automated failover, providing high availability and resilience against single-zone failures.

Application events produce audit logs for all activities, which are retained and reviewed for suspicious activity.

Firewall and DDoS Protection

At the infrastructure level, TalentDesk leverages advanced protection mechanisms provided by Amazon Web Services. The AWS Web Application Firewall (AWS WAF) protects TalentDesk from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS Shield, a managed Distributed Denial of Service (DDoS) protection service, safeguards the Platform to minimise downtime and maintain high availability.

Authentication and Authorisation

At the application level, security is a primary consideration in how information is accessed and exchanged. TalentDesk uses JSON Web Tokens (JWT), an open standard for securely transmitting information between parties. This information can be verified and trusted because it is digitally signed using a secret with the HMAC algorithm. Particular care is taken to mitigate common attacks, including Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), and SQL injection.

Virtual Private Cloud

All of our servers run within our own virtual private cloud (VPC), with network access control lists (ACLs) and security groups that prevent unauthorised requests from reaching our internal network.

Penetration Testing and Vulnerability Scanning

We engage an independent third party to perform penetration testing of our application and infrastructure on an annual basis. In addition, we use continuous vulnerability scanning tools to monitor our application and infrastructure stack between pentests. Our Site Reliability Engineering (SRE) team responds to identified issues in accordance with severity-based remediation timelines.

4. Access Control

Access to TalentDesk’s production systems and customer data is granted on a least-privilege basis and is restricted to personnel with a legitimate business need. Access is granted through role-based controls and is reviewed periodically.

Database access is restricted and is granted to engineering personnel only in defined circumstances, such as instances of technical support, and is limited to the required support time window. Privileged access requires multi-factor authentication.

Joiners, movers, and leavers are managed through a defined process to ensure access is provisioned, modified, and revoked on a timely basis.

5. Secure Development

All development is performed by our in-house engineering team, who are trained in secure development practices.

All code is peer reviewed before it can be merged and deployed into production. We continually review our dependency packages to ensure they are patched against known security vulnerabilities. We use Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) to detect security vulnerabilities in our codebase and applications.

6. Incident Response and Breach Notification

TalentDesk maintains a documented incident response process covering detection, triage, containment, eradication, recovery, and post-incident review.

Where a personal data breach is likely to result in a risk to the rights and freedoms of data subjects, we will notify the competent supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of it, in accordance with Article 33 of the GDPR. Affected customers will be notified without undue delay so that they can fulfil their own notification obligations.

7. Business Continuity and Disaster Recovery

TalentDesk performs backups of all critical assets and carries out regular system restore tests to verify that our disaster recovery procedures are effective. All data backups are encrypted and stored in a secure location. Recovery objectives are defined in our internal business continuity policy and tested as part of our regular DR exercises.

8. Team and Personnel Security

All employees and contractors are subject to background checks where legally permitted, sign Non-Disclosure and Confidentiality Agreements, and complete security awareness training on joining and at regular intervals thereafter.

We follow strict internal procedures that limit who can access customer data, and access is logged and monitored.

9. Reporting a Security Issue

If you believe you have discovered a security vulnerability or wish to report a security concern, please contact us at security@talentdesk.io. We appreciate responsible disclosure and will acknowledge reports promptly.

Last updated: 12 May 2026