TECNICODESK | Trust & Privacy

Our commitment

We earn trust by protecting client data, operating with practical security controls, and communicating clearly. This page summarizes our practices at a level that is informative without exposing sensitive implementation details.

SOC 2 status: Tecnico Desk is not presenting itself as SOC 2 audited and does not provide a SOC 2 report. SOC 2 reports are independent examinations over controls and are issued for a defined period.

We focus on implementing and operating security practices that commonly map to vendor audit expectations, including areas often associated with the SOC 2 Trust Services Criteria.

Audit and compliance support

Many customers need to answer security questionnaires, renew cyber insurance, or support vendor reviews. We can help by organizing evidence, providing reporting exports where available, and documenting how controls are operated.

Framework-aligned reporting support

Depending on your environment, licensing, and service scope, we can help package reporting aligned to common frameworks such as:

SOC 2 (Trust Services Criteria) alignment support
ISO 27001 program alignment support
HIPAA security support reporting
GDPR security and privacy support reporting

Note: This is reporting support and evidence packaging. It is not a certification, an audit opinion, or legal advice.

Examples of evidence we can help summarize

MFA and identity posture (user and admin)
Risky sign-in signals and access protections
Email security posture including quarantine activity
Endpoint posture such as encryption, firewall, and update hygiene
Security awareness training completion where included in scope
Alert history, response actions, and monthly risk summaries

Output varies by tenant configuration. We review needs before onboarding so expectations are clear.

How we protect data

Identity and access: MFA for administrative access, least-privilege roles, and access reviews.
Remote support safety: Technician actions are logged. Session recording is off by default and enabled only when a client approves it.
Endpoint and email security: Layered defenses for endpoints and cloud identities, with monitoring and alerting.
Network edge protection: Web application firewall and DDoS protections for public-facing services where applicable.
Monitoring and response: Centralized monitoring and alerting with incident response and change control practices.
Backups and recovery: Backup strategies and retention are defined per client. Restore testing is performed based on needs and service scope.

What this means for compliance-focused customers

If you are pursuing an audit or certification, we can support your control objectives by implementing and operating practical controls, documenting procedures, and helping you collect evidence commonly requested by auditors and customers.

Detailed evidence and client-specific configurations are shared directly with customers as appropriate.

Our technology partners (names only)

We publish vendor names only. We do not publish admin URLs, tenant IDs, IP addresses, or configuration details. A complete sub-processor list can be provided to customers under NDA or DPA upon request.

Network edge security and DNS: Cloudflare (CDN, WAF, DDoS)
Identity and access: Microsoft Entra ID (SSO, MFA, Conditional Access)
Endpoint protection: Microsoft Defender (EDR/AV, threat detection)
Productivity and collaboration: Microsoft 365
Device management: Microsoft Intune (UEM/MDM)
AI assistance: Microsoft Copilot for Microsoft 365
Cloud infrastructure (internal systems): Microsoft Azure; Amazon Web Services (AWS)
CRM and forms (website/marketing): HubSpot; Formspree
Project management: Monday.com

Where required by contract, we notify customers in advance of material sub-processor changes. Contact us if you would like notifications.

Data residency

Where controls are available, we configure U.S. region processing for internal tenants.
Some services (for example CDN and DDoS protection) may operate globally at the network edge for resilience and performance.

Customer data residency is driven by the client tenant and service scope. We document residency-related choices during onboarding.

How we use AI safely

We may use AI to assist internal workflows such as ticket triage, drafting documentation, and summarization.
AI is not used to make autonomous changes inside client environments.
No credentials, secrets, or unredacted regulated data are entered into conversational interfaces.
All AI outputs receive human review before client delivery.

See our AI Usage Policy for details.

Your privacy rights

Colorado residents have the right to access, correct, delete, and obtain a copy of personal data we control, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We honor recognized universal opt-out signals where applicable.

Read our Privacy Policy for how to submit a request and appeal decisions.

If we use cookies or similar technologies that require notice or opt-out, details will be described in the Privacy Policy and related notices.

Remote services transparency

Remote sessions begin only with user authorization or user notice, based on the support method in use.
Technician actions are logged. Log retention varies by tool and client requirements.
Clients can set policies for recording, clipboard and file transfer, and after-hours access where supported.

Responsible disclosure

If you believe you found a security issue, email security@tecnicodesk.com with details.

For privacy requests, contact privacy@tecnicodesk.com.

Last updated: 2026-01-03. This page is provided for transparency and is not a contractual commitment on its own. Contractual terms appear in our MSA/SOW and, where applicable, DPA/BAA.