Security & Compliance

Deskpadi is built with security at every layer. This page describes the technical controls, compliance measures, and data-protection practices that safeguard your organisation's information.

Encryption at Rest

All personally identifiable information (PII) and sensitive data is encrypted at rest using AES-256-GCM. This includes:

• •Bank account details (account numbers, bank names).
• •Phone numbers.
• •Home addresses and emergency contact details.
• •Any other fields classified as PII in the data model.

Encryption keys are managed separately from the application database. Data is decrypted only when accessed by an authorised user with the appropriate role permissions.

Two-Factor Authentication (2FA)

Deskpadi supports time-based one-time passwords (TOTP) for two-factor authentication. Users can enable 2FA from their profile settings by scanning a QR code with any standard authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.).

• •Once enabled, users must enter a 6-digit code from their authenticator app at each login.
• •Backup recovery codes are provided during setup in case the authenticator device is lost.
• •Super Admins can enforce 2FA as mandatory for all users in the organisation.
• •If a user is locked out, a Super Admin can reset their 2FA so they can re-enrol.

JWT Authentication

User sessions are managed using JSON Web Tokens (JWT). When a user logs in, the server issues a short-lived access token and a longer-lived refresh token.

• •Access tokens expire after a short period (minutes) to limit the window of exposure if a token is compromised.
• •Refresh tokens are used to obtain new access tokens without requiring the user to log in again.
• •Refresh tokens are stored securely and rotated on each use.
• •Logging out invalidates the refresh token immediately.

Multi-Tenant Data Isolation

Deskpadi is a multi-tenant platform — multiple organisations share the same infrastructure. Strict data isolation ensures that no organisation can ever access another's data.

• •tenantScope middleware — Every API request passes through a middleware layer that extracts the authenticated user's companyId and automatically scopes all database queries to that company.
• •companyId on every query — Every database table includes a companyId column. All SELECT, UPDATE, and DELETE queries include a companyId filter as a non-negotiable condition.
• •Cross-tenant isolation checks — Additional runtime checks verify that resource access does not cross tenant boundaries, even in edge cases such as shared reference data or inter-company operations.

NDPR Compliance

Deskpadi complies with the Nigeria Data Protection Regulation (NDPR) and implements the following data-subject rights:

• •Right to erasure — Users can request deletion of their personal data. Upon request, PII is purged from active records and backups within the legally required timeframe.
• •Data portability — Users can export their personal data in a machine-readable format (JSON or CSV).
• •Data access — Users can request a copy of all personal data held about them. The system generates a comprehensive data-access report.

OWASP Top 10 Hardening

The platform is hardened against the OWASP Top 10 web application security risks:

• •Rate limiting — API endpoints enforce rate limits to prevent brute-force attacks and denial-of-service attempts. Limits are applied per IP and per user.
• •CORS (Cross-Origin Resource Sharing) — Strict CORS policies restrict which domains can make requests to the API. Only the official Deskpadi frontend origin is allowed.
• •Input validation — All user input is validated on both the client and server side. Payloads are checked against defined schemas before processing.
• •SQL injection protection — All database queries use parameterised statements. No raw SQL is constructed from user input.
• •XSS prevention — User-generated content is sanitised before rendering. Content Security Policy (CSP) headers provide an additional layer of protection.

HMAC-Signed Webhooks

Outgoing webhook payloads are signed using HMAC-SHA256 with a shared secret unique to each webhook endpoint. Receiving servers should verify the signature before processing the payload to ensure authenticity and integrity. The signature is included in the X-Deskpadi-Signature request header.

Role-Based Access Control (RBAC)

Access to every feature and API endpoint is controlled by the user's assigned role.

• •requireRole middleware — Every API endpoint specifies which roles are permitted to access it. The middleware checks the authenticated user's role before the request handler executes.
• •Per-endpoint authorisation — Permissions are defined at the endpoint level, not at a broad module level. This provides fine-grained control — for example, a Finance Officer can view expense reports but only a Finance Head can approve them.
• •Manager scoping — Managers and Department Heads are further scoped by their managedDepartments. They can only access data for employees within their assigned departments.

Soft-Delete & Retention

When records are deleted in Deskpadi, they are soft-deleted — marked as inactive but retained in the database for 90 days. During this retention period, records can be restored if needed. After 90 days, soft-deleted records are permanently purged in accordance with data-retention policies.

CSRF Protection

Cross-Site Request Forgery (CSRF) protection is implemented on all state-changing endpoints. The platform uses token-based CSRF protection to ensure that requests originate from legitimate user sessions and not from malicious third-party sites.

Comprehensive Audit Logging

Every significant action is recorded in the audit trail with the actor's identity, timestamp, action type, affected resource, and a before/after state snapshot. Audit logs are immutable — they cannot be edited or deleted by any user, including Super Admins. Retention periods vary by plan (30 days for Free up to 3 years for Enterprise). See the Administration documentation for full details on audit log filtering and retention.