TOPdesk SaaS is set up to deliver our services efficiently and effectively. Because we are highly specialized and able to automate all common tasks, we can provide our customers with a high quality service at a lower Total Cost of Ownership (TCO) than On-Premises hosting. This setup provides the following benefits to our customers:
Hosting TOPdesk environments using industry standard techniques like virtualization, resource sharing, redundancy and automation of operational activities results in lower total cost of ownership in comparison to on-premises installation and high availability of the service.
Changes to TOPdesk are fully automated. Examples are deployment of new production and testing instances for customers, adding or removing modules and functionalities, backups, updates and monitoring. This reduces the risk of human error and makes it possible to respond quickly to customer requests.
We keep TOPdesk running. The data center keeps the server running. And you are in control of the data.
These data processing agreements and audit reports ensure your data is kept safe, while you remain in full control of your data.
For European customers, we recommend reading our blog about TOPdesk and the General Data Protection Regulation.
TOPdesk SaaS has an SOC 2 certification, which is audited annually, covering the previous period from April 1st to March 31st. The certification report by the external auditor can be requested through your account manager (see Contact us).
SOC 2 has been chosen as the most applicable basis for reporting on our SaaS services. This international auditing standard is used to check if the risk management systems regarding security, availability, and privacy are adequate for the desired goal, and if the targets set by TOPdesk have been met.
A SOC 2 certification always concerns the past, as the auditor tests whether the controls were sufficient during a certain time frame.
The SOC 2 certification also covers subcontractors. This means that TOPdesk verifies that the datacenters used have sufficient (data) security measures, including relevant audits, and certifications on the services provided (also see Hosting locations and Who does what). Our auditor verifies that TOPdesk has requested and inspected the relevant certificates.
TOPdesk currently offers hosting locations in the United States of America (US), Canada (CA), Australia (AU) the United Kingdom (UK), and the Netherlands (NL).
Customers can choose where their data is stored and verify this location via our Self-Service Portal. Data is never moved to another region without a written confirmation from a SaaS main contact at the customer. Off-site back-ups are stored on a different location within the same region, ensuring the same laws apply.
Datacenter certifications are listed below. You can find more details about our datacenters and their (security) certification by visiting their websites.
ISO 9001, ISO 27001, ISO 14001, NEN 7510, PCI DSS
|NL3||Europe||ISO 9001, ISO 27001, ISO 14001, PCI DSS, SOC 1|
|EU1||Europe||ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1, ISO 22301, PCI DSS, SOC 1, SOC 2, CSA STAR|
|UK1||United Kingdom||ISO 9001, ISO 27001, ISO 14001, PCI DSS, BS 25999-2|
ISO 9001, ISO 27001, ISO 14001, PCI DSS, SOC 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1, ISO 22301, PCI DSS, SOC 1, SOC 2, CSA STAR
ISO 9001, ISO 27001, ISO 27017, ISO 27018, ISO 20000-1, ISO 22301, PCI DSS, SOC 1, SOC 2, CSA STAR
Next to these datacenters, TOPdesk currently uses the following sub processors to help provide our TOPdesk SaaS services:
Intrusion Detection System, monitoring connections to the TOPdesk SaaS network for known attack patterns and threats.
Manages some SSL certificates for encrypting connections and adds additional security like DDOS protection.
TOPdesk holds all sub processors to the same (or higher) security standards as we have for our own hosting services.
Changes in the sub processors will be announced in advance on our SaaS maintenance page, where you can subscribe for e-mail updates. Should you object to the use of a (new) sub processor, please contact TOPdesk Support or your account manager to discuss which alternatives are available.
In TOPdesk, we believe in working in increments: thinking big and starting small. We’ve moved from releasing four versions a year to quick small releases. What does this mean for you as a customer? About every week, you will receive the latest version of TOPdesk with the newest features and bug fixes. Small regular releases, also called continuous deployment, has at least eight benefits.
We also use staged roll-out, where a new version is first released to a small group of test environments and is released to more and more environments while no bugs have been reported. Find out more about our staged roll-out process on our blog.
|Update group||Update frequency|
|Internal tests||Daily automated tests, installation on an internal acceptance environment, and installation on our internal production environment|
|Test environments||Weekly updates to the latest version, when no problems were found during internal tests|
|Automatic early updates||Weekly updates to the latest version, when no problems were found on test environments|
|Automatic weekly updates||Weekly updates to the latest version, when no problems were found on in the early updates group|
|Several updates per year||Customers who don't want weekly updates, and customers with an add-on, will be updated approximately every quarter. These customers are updated to a version from the Automatic weekly updates group in which all known critical issues have been fixed.|
Our goal is to release functionality in small increments with no impact. In some cases, it may not be possible to do so. Here we’ll do what is needed to make you aware of the impact beforehand, and offer you options to make the upgrade as smooth as possible.
Updates will always be installed during the maintenance window; between 22:30 (10:30PM) and 03:00(AM) of a time zone of your choice. Available time zones and more information can be found in our service portal. This minimizes the impact for your end users.
Before installation of the weekly updates users working in TOPdesk will be notified. This allows the users to save their work before the update. For customers with several updates per year, an e-mail with the update planning will be sent when the update is scheduled.
You can use our websites to stay up to date on (future) developments:
Using TOPdesk SaaS you can rest assured your data is hosted on up-to-date hardware, running the latest security updates. The TOPdesk SaaS network is completely separated from the TOPdesk corporate network, and all TOPdesk SaaS servers are deployed automatically and registered in our CMDB. This has numerous advantages:
Management access to the TOPdesk SaaS network is only possible from a secure multi-factor authentication gateway server, using a personal account with sufficient permissions. Access to this gateway server is closely monitored, and the multi-factor authentication set-up ensures administrators are always directly personally notified when someone tries to misuse their credentials.
As the TOPdesk SaaS network only consists of virtual machines on servers in a professional data center, there is no need for removable media (USB drives), WiFi connections, printers, and other common office devices. This reduces the attack surface of our SaaS network, and prevents malware infections.
At TOPdesk, we're serious about the security of your data. As security is never finished, we're constantly working to improve the security of our hosting services, software, and internal procedures. You can read more about our security efforts below, and on our Tech blog:
We only allow secure connections to TOPdesk SaaS environments. HSTS preloading is used to ensure all common browsers force users to a secured connection. The strength of our SSL certificate (used to encrypt the connection) is evaluated on a regular basis and currently has an A+ score from Qualys SSL labs.
TOPdesk uses a Content Delivery Network (CDN) for worldwide fast availability of TOPdesk environments, (D)DOS protection, and to block known threats. An intrusion detection system* helps detect attacks against our software in an early stage and will inform our hosting team of any problems.
Additionally, you can use your own intrusion detection system and link this to the TOPdesk access logs. It's also easy to set up an IP restriction for your TOPdesk SaaS envrionment, so only your colleagues can access your TOPdesk environment.
Antivirus and malware definitions are updated daily. File scans during upload, and regular full storage scans, ensure your users can safely work with attachments.
Management access is limited to a small group of TOPdesk SaaS administrators and is only possible using a personal account and via a multi-factor authentication gateway (see Access management). TOPdesk will also ensure all relevant updates are installed in a timely fashion (see Server management and Always up to date).
Your data is stored separate from other customers' data. Customer specific files (like attachments) are stored in a folder which can only be accessed by your dedicated TOPdesk environment. Folder and file permissions ensure that only the TOPdesk environment that created a file can access it.
A similar design is used for databases; your TOPdesk environment can only connect to it's dedicated database, and database permissions ensure that no application but your TOPdesk environment is allowed to access the data. This dual layer of security ensures that data remains segregated from other customers, and can never be accessed by unauthorized users.
Secure coding guidelines ensure our software is of high quality and safe to use. Our measures include:
During development, all software components and dependencies are scanned for known vulnerabilities. If no problems are found, the software is compiled and automatically tested. When all tests are successful, the software is deployed on a live environment which is scanned (black-box) for vulnerabilities on a daily basis.
The daily automated vulnerability scans are executed by an external auditor and test for known threats and OWASP vulnerabilities. These scans are verified using (grey box) penetration tests by a certified and independent security expert at least every 3 months.
You can also execute your own penetration test or vulnerability scan, but please inform us beforehand.
These efforts have led to an SOC 2 audit report (see certification), which you can request to verify the security of our procedures and processes.
We aim to keep all TOPdesk SaaS environments online 24/7. Our target uptime in the standard SLA for TOPdesk SaaS environments is 99,9%. The average uptime of all TOPdesk SaaS environments (24/7, excluding scheduled maintenance) in Q4 2019 was 99,944%.
Several measures ensure the availability of TOPdesk SaaS environments:
TOPdesk has a 24/7 monitoring system on all TOPdesk SaaS environments and servers. The monitoring system verifies health metrics for every TOPdesk environment, like the (internal and external) availability, database connection, and search index availability. Servers are also tested on relevant metrics, like availability, CPU usage, memory usage, and available disk space. To ensure our back-up system works as expected, we also monitor the last back-up restore test for database servers.
Should the monitoring system detect a problem, TOPdesk operators are immediately notified. During the night, a 24/7 stand-by shift ensures issues are quickly resolved. Issues affecting multiple TOPdesk environments are published on our status page and via the Self-Service Portal. You can also verify the monitoring results for your environment(s) on our portal, and (if desired) immediately schedule follow-up actions like a restart of your TOPdesk environment, or submit a ticket for our Support team.
Back-up procedures ensure we can continue to operate in the unlikely event that data becomes unreachable:
Back-up and restore procedures are tested at least monthly. A monitoring system ensures the last restore test for each site was no longer than 30 days ago. As servers are deployed automatically, recovering from a data center loss is hardly different from day to day operations.
Our disaster recovery procedures and back-up systems ensure quick recovery times. In over 75% of all cases we are able to restore all services within 15 minutes.
In case of serious failures within a site, redundancy and fail over procedures ensure:
In the unlikely event of a total site failure (datacenter is lost):
You can always stay up-to-date regarding the availability of TOPdesk SaaS environments by checking the availability of your environment on our customer portal (https://My.TOPdesk.com) and by visiting our SaaS Status blog.
TOPdesk can link to many identity providers. This means you can easily control who has access to your TOPdesk environment, without setting up a separate login system. Simply link TOPdesk to your existing identity provider (via ADFS, SAML, LDAPS, etc.) and you can log in using Single Sign On (SSO). Our consultants will help you to create a secure link between both systems.
TOPdesk allows for role based interfaces and authorizations. Access is adjustable on a granular level. You can choose which services each user (or user group) has access to, and whether the use has read, write, or advanced permissions. Roles and permission groups can be easily defined and changed in the interface, by selecting the appropriate permissions through tickboxes.
From our customer portal (https://My.TOPdesk.com) you control your TOPdesk SaaS environment. You can manage which users are allowed to request changes to the environment, schedule actions, and request changes. TOPdesk will only execute changes requested by contacts that have previously been registered as 'SaaS main contact' person in our system, to prevent unauthorized changes.
TOPdesk employees can only access your TOPdesk SaaS environment when you have requested them to do so, for instance when you’ve asked our Support team for help.
All TOPdesk Support staff that might be granted access to your environment will have:
You can even determine whether TOPdesk employees can access your TOPdesk environment. You can find the settings for this at 'Functional settings > Login settings > General'.
TOPdesk won't store any passwords for your environment. TOPdesk employees will only have access using a personal account from a secure TOPdesk authentication server.
You can (automatically) download the access logs for your environment to verify who accessed the environment, and at what time. Access logs include all login attempts and information to identify the source, like IP addresses. As the access logs can be accessed automatically, you can link them to your own Intrusion Detection System.
TOPdesk stores access logs for half a year. If you'd like to store the logs for a longer period, you can download a copy.
It's possible to limit the availability of your TOPdesk environment to a certain IP range for additional security. To request an IP whitelist, please use the form on our customer portal.
Encryption of stored data protects against data theft by someone with direct access to the discs on which the data is stored. TOPdesk has covered this risk in several ways.
The following steps have been taken to prevent theft of data:
A related risk to theft of stored data, is interception of data before it is stored. This risk is covered by only allowing encrypted connections (HTTPS) with TOPdesk SaaS environments. HSTS preloading ensures all connections are automatically started using HTTPS by all common browsers.
Regular checks determine whether there are known errors in used communication protocols, after which unsafe protocols are disabled as soon as possible. These measures resulted in an A+ score for the TOPdesk SaaS SSL certificate on Qualys SSL Labs, an independent party that assesses the strength of secure connections.
Data saved in your TOPdesk environment remains your property. We offer a default and easy way to retrieve your data from our software, when you terminate your contract with us for example. You can, at any time, download your database and attachments via your TOPdesk environment.
After terminating your contract, we keep your data for 30 days and remove it automatically after this period. To ensure that your data is completely deleted, we have an automatic system with built-in control mechanism for the deletion. We also have a monitoring system that actively scans folders, databases and live environments for data that should have been removed.
If you have not already downloaded your data, you can contact TOPdesk Support to request a copy. Up to 30 days after terminating your contract, one of your SaaS main contacts can requests your data through our Self-Service Portal. Upon this request, we’ll send you the data as soon as possible through a secure connection. All data comes in a regular file format.
If you have any questions about our SaaS hosting, don’t hesitate to contact TOPdesk Support for more information.
We appreciate customers and security researchers reporting vulnerabilities in our software and infrastructure to us.
If you plan to execute a test on our product or SaaS infrastructure, please contact your account manager or our Support department and ask for the collaboration agreement that we have in place for this purpose. It provides guidelines on how to responsibly test our services and work together with us, which for instance prevents our security team from interfering with your tests when detected by our monitoring.
Read more about how to report findings on our responsible disclosure page.
All security incidents are treated with high priority. Our Support team is trained in recognizing security incidents and will immediately escalate these requests to a security expert. You can find more information about incident response procedures on our Tech blog.
We aim to provide customers with an indication on the severity and possible mitigating steps within 1 working day. For the fastest response, please call our Support team to report a possible security issue.
If a modification in the product is necessary to remedy a vulnerability, we start working on that immediately and aim to incorporate it in the next release of our product.