Trust & Security
What's actually built and verified today — not a roadmap, not marketing claims.
Overview
Boridesk exists to let one team run support for many separate client companies — which means the platform's core job is keeping each client's data walled off, both from other clients and from other agencies entirely. Here's what's actually built and verified today.
Tenant isolation
Every agency is a tenant, and every ticket, message, and client record is scoped to that tenant at the database query level — not just in application logic. This is covered by an automated integration test suite that specifically tries to make one tenant see another's data, and confirms it can't.
Access control
Within an agency, admins control what each agent can see: agents can be scoped to specific client companies, or granted access to all of them. New agents see nothing by default until access is explicitly granted. Roles (Agent / Admin / SuperAdmin) gate administrative actions like inviting agents or changing settings.
Encryption in transit
All traffic to boridesk.com and the Boridesk app runs over HTTPS.
Webhook security
Inbound email is delivered to Boridesk over a signed webhook, verified with HMAC-SHA256. Unsigned or incorrectly-signed requests are rejected before they touch any tenant's data.
Account security
Changing your password immediately invalidates every other active session — not just on next expiry. Repeated failed login attempts trigger account lockout, and login endpoints are rate-limited.
What we don't claim yet
We're not SOC 2 or ISO 27001 certified. That's on the roadmap for once it's something enterprise customers actually ask for — we won't say otherwise before it's true. We also don't yet publish a formal uptime SLA or a specific backup-frequency guarantee; ask us directly if that's a blocker for your agency.
Report a security issue
Found a vulnerability? Email [email protected] with details — we'll respond, and won't take legal action against good-faith reports.