In Q3 2018 the average uptime of all TOPdesk SaaS environments during our service window (excluding scheduled maintenance) was 99,946%.
Several measures ensure the availability of your TOPdesk SaaS environment:
Back-up procedures ensure we can continue to operate in the unlikely event that data becomes unreachable:
Back-up and restore procedures are tested at least monthly. A monitoring system ensures the last restore test was no longer than 30 days ago. As servers are deployed automatically, recovering from a data center loss is hardly different from day to day operations.
Our disaster recovery procedures and back-up systems ensure the following recovery times. In case of total site failure (data center is lost):
In case of serious failures within a site, redundancy and fail over procedures ensure:
You can always stay up-to-date regarding the availability of TOPdesk SaaS environments by checking the availability of your environment on our Extranet and by visiting our SaaS Status blog.
TOPdesk can link to many identity providers. This means you can easily control who has access to your TOPdesk environment, without setting up a separate login system. Simply link TOPdesk to your existing identity provider (via ADFS, SAML, LDAPS, etc.) and you can log in using Single Sign On (SSO). Our consultants will help you to create a secure link between both systems.
TOPdesk employees can only access your TOPdesk SaaS environment when you have requested them to do so, for instance when you’ve asked our Support team for help.
All TOPdesk Support staff that might be granted access to your environment will have:
You can even determine whether TOPdesk employees can access your TOPdesk environment. You can find the settings for this at 'Functional settings > Login settings > General'.
TOPdesk won't store any passwords for your environment. TOPdesk employees will only have access using a personal account from a secure TOPdesk authentication server.
Secure coding guidelines ensure our software is also safe to use. Our measures include:
We only allow secure connections to TOPdesk SaaS environments. HSTS preloading is used to ensure all connections are secured. The strength of our SSL certificated is evaluated on a regular basis and currently has an A+ score from Qualys SSL labs.
An external auditor performs daily automated penetration tests. These tests are verified by a security expert at least every 3 months. You can also execute your own penetration test, but please inform us beforehand.
TOPdesk uses an intrusion detection system* to detect attacks against our software. Additionally, you can use your own intrusion detection system and link this to the TOPdesk access logs. It's also easy to set up an IP restriction for your TOPdesk SaaS envrionment, so only your colleagues can access your environment.
Anti virus and malware definitions are updated daily. On-access file scans, and regular full storage scans, ensure your users can safely work with attachments.
These efforts have led to an ISAE3000 type II audit report, which you can request to verify the security of our procedures and processes.
Encryption of stored data protects against data theft by someone with access to the discs where the data is stored. TOPdesk has covered this risk in a different way, which does not require encryption.
The following steps have been taken to prevent theft of data:
A related risk is interception of data before it is stored. This risk is covered by only allowing encrypted connections (HTTPS) with TOPdesk SaaS environments. HSTS preloading ensures all connections are automatically started using HTTPS by all common browsers.
Regular checks determine whether there are known errors in communication protocols, after which unsafe protocols are disabled as soon as possible. These measures resulted in an A+ score for the TOPdesk SaaS SSL certificate on Qualys SSL Labs, an independent party that assesses the strength of secure connections.
In TOPdesk, we believe in working in increments: thinking big and starting small. We’ve moved from releasing four versions a year to quick small releases. What does this mean for you as a customer? About every week, you will receive the latest version of TOPdesk with the newest features and bug fixes. Small regular releases, also called continuous deployment, has at least eight benefits.
We also use staged roll-out, where a new version is first released to a small group of test environments and is released to more and more environments while no bugs have been reported. Find out more about our staged roll-out process on our blog.
Our goal is to release functionality in small increments with no impact. In some cases, it may not be possible to do so. Here we’ll do what is needed to make you aware of the impact beforehand, and offer you options to make the upgrade as smooth as possible.
You can use our websites to stay up to date on (future) developments:
TOPdesk SaaS is set up to deliver our services efficiently and effectively. Because we are highly specialized and able to automate all common tasks, we can provide our customers with a high quality service at a lower Total Cost of Ownership (TCO) than On-Premises hosting. This setup provides the following benefits to our customers:
Hosting TOPdesk environments using industry standard techniques like virtualization, resource sharing, redundancy and automation of operational activities results in lower total cost of ownership in comparison to on-premises installation and high availability of the service.
Changes to TOPdesk are fully automated. Examples are deployment of new production and testing instances for customers, adding or removing modules and functionalities, backups, updates and monitoring. This reduces the risk of human error and makes it possible to respond quickly to customer requests.
Using TOPdesk SaaS you can rest assured your data is hosted on up-to-date hardware, running the latest security updates. The TOPdesk SaaS network is completely separated from the TOPdesk corporate network, and all TOPdesk SaaS servers are deployed automatically and registered in our CMDB. This has numerous advantages:
We keep TOPdesk running. The data center keeps the server running. And you are in control of the data.
An external auditor ensures that TOPdesk’s procedures are adequate to securely process your data. An external auditor also verifies the security measures at each data center.
We have a data processing agreement with each data center used for hosting TOPdesk SaaS environments, and verify the security of these data centers by inspecting their audit reports.
You can inspect the safety of your data at TOPdesk using the information on this page, or by requesting our audit report via your account manager. We also have template data processing agreements available for you as data controller.
These data processing agreements and audit reports ensure your data is kept safe, while you remain in full control of your data.
For European customers, we recommend reading our blog about TOPdesk and the General Data Protection Regulation.
TOPdesk currently offers hosting locations in the Netherlands (EU), the United Kingdom and the United States of America. Customers can choose where their data is stored. Data is never moved to another data center without a written confirmation from a SaaS main contact at the customer. Off-site back-ups are stored within the same region, ensuring the same laws apply.
You can find the locations of our data centers by clicking the map below.
You can find more details about our data centers on their websites:
TOPdesk SaaS has an ISAE 3000 type II certificate, which is audited annually, covering the previous period from April to April. The certification report by the external auditor can be requested through your account manager (see ‘Contact us’).
ISAE 3000 has been chosen as the most applicable certification for our SaaS services. This international standard, comparable to SOC 2 – Type 2 audits in the US, can be used to check if the risk management systems regarding information security, availability, integrity, confidentiality, and privacy are adequate for the desired goal (Type I) and if the targets set by TOPdesk have been met (Type II). A Type II ISAE 3000 certification always concerns the past, as the auditor tests whether the controls were sufficient during a certain time frame.
The ISAE 3000 certification also covers subcontractors. This means that TOPdesk verifies that the datacenters used have sufficient (data) security measures, including relevant audits, and certifications on the services provided. The ISAE 3000 auditor verifies that TOPdesk has requested and inspected the relevant certificates.
An ISAE 3000 certificate also tests information security. This means there is an overlap with ISO 27001. An ISO 27001 audit tests if the management system for information security is adequate and if certain standards are met. In this sense, ISAE 3000 type II has a broader coverage, as the audit also checks whether the control systems were sufficient to accomplish the desired goal.
ISAE 3402 certification is also often mentioned for SaaS services. However, this is a standard for outsourced financial processes. Because the processes in TOPdesk often have no direct link to the (annual) financial reports of your organization, this standard is less relevant for our customers than ISAE 3000.
Data saved in your TOPdesk environment remains your property. We offer a default and easy way to retrieve your data from our software, when you terminate your contract with us for example. You can always download your data via your TOPdesk environment. After terminating your contract, we keep your data for 30 days and remove it automatically after this period. To ensure that your data is completely deleted, we have an automatic system with built-in control mechanism for the deletion. We also have a monitoring system that actively scans folders, databases and live environments for data that should have been removed.
Up to 30 days after terminating your contract, one of your SaaS main contacts can requests your data through our Self-Service Portal. Upon this request, we’ll send you the data as soon as possible through a secure connection. All data comes in a regular file format.
If you have any questions about our SaaS hosting, don’t hesitate to contact us for more information.
We appreciate customers and security researchers reporting vulnerabilities in our software and infrastructure to us.
If you plan to execute a test on our product or SaaS infrastructure, please contact your account manager or our Support department and ask for the collaboration agreement that we have in place for this purpose. It provides guidelines on how to responsibly test our services and work together with us, which for instance prevents our security team from interfering with your tests when detected by our monitoring.
Read more about how to report findings on our responsible disclosure page.
All security incidents are treated with high priority. Our Support team is trained in recognizing security incidents and will escalate the request to a security expert. We aim to provide customers with an indication on the severity and possible mitigating steps within 1 working day. For the fastest response, please call our Support team to report a possible security issue.
If a modification in the product is necessary to remedy a vulnerability, we start working on that immediately and aim to incorporate it in the next release of our product.