Security
Your data belongs to your organization
Deska is built with strict tenant isolation from the ground up. Your employees, bookings, floor plans, and settings are never accessible to other organizations.
How Deska protects your data
Tenant isolation by design
Every organization on Deska gets its own isolated workspace. Data is partitioned at the database level — your data is never co-mingled with another tenant's data.
Row-level security (RLS)
Deska uses Supabase Row-Level Security policies enforced at the database level. Even if application code had a bug, the database would reject cross-tenant queries.
JWT-based authentication
Every API request is authenticated via a signed JWT. The organization identity is derived from the token — clients cannot supply or spoof a different organization ID.
HTTPS-only
All data in transit is encrypted via TLS. The Deska web app and API are served exclusively over HTTPS.
No third-party tracking
Deska does not embed third-party analytics, advertising, or tracking scripts on your workspace. Your usage data stays in your workspace.
Access control by role
Within your organization, access is controlled by role. Admins can see occupancy data and manage settings. Regular employees can only see their own bookings and public desk availability.
Infrastructure
Deska runs on Supabase (PostgreSQL) for data storage and Vercel for web and API hosting. Both providers maintain SOC 2 compliance and run on major cloud infrastructure.
Authentication is handled via Supabase Auth, which supports Google OAuth and email-based invite flows. Passwords are never stored in plain text.
Service-role access (which bypasses row-level security) is restricted exclusively to internal admin paths — provisioning new workspaces and super-admin operations. It is never used in the tenant-facing request path.
Questions about security?
If you have specific security requirements, need to complete a vendor security questionnaire, or want to discuss data residency, email us at hello@deska.me.