We treat your CRM data like it's ours.

All traffic to and from Tonic Desk is encrypted with TLS 1.3 (TLS 1.2 minimum, weak ciphers disabled).

• At rest: AES-256 on application data, databases, and object storage.
• Backups: encrypted with separate KMS-backed keys.
• Key rotation: every 90 days, automated via AWS KMS.
• Secrets: stored in AWS Secrets Manager, never in source control.

Your CRM data lives in EU-West-1 (Ireland) by default — GDPR-compliant by design, no transatlantic transfer.

• US-East-1 (N. Virginia) available on the Business plan for US-domiciled customers.
• Data does not cross regions without explicit customer action (e.g. export).
• Sub-processor list below details where ancillary services are hosted.

• SOC 2 Type I — audit in progress, target completion Q4 2026.
• GDPR — compliant. Article 28 DPA available on request.
• UK DPA — registered with the ICO.
• ISO 27001 — on the roadmap for H1 2027.

If you need our security questionnaire or a SIG Lite response, email security@tonicdesk.com.

We use a small, deliberate set of sub-processors. A DPA is available for each.

• AWS — primary hosting (compute, storage, databases). EU-West-1, US-East-1.
• Stripe — payment processing for subscriptions and customer payment links.
• Postmark — transactional email (login codes, signature requests, notifications).
• Cloudflare — CDN, DNS, and DDoS protection in front of the marketing site.
• Sentry — error monitoring (PII scrubbed before transmission).

DPAs available on request. We give 30 days' notice before adding a new sub-processor.

• 2FA — TOTP-based two-factor authentication on every plan, including Free.
• SSO / SAML — Okta, Azure AD, Google Workspace on Business.
• RBAC — 5 default roles plus 5 custom roles on Business.
• Audit log — 90 days on Professional, 365 days on Business, exportable as CSV.
• IP allowlisting — restrict workspace access by IP range on Business.

• Confirmed breach notification: within 24 hours of confirmation, to all affected customers.
• Written post-mortem: within 7 days for any P1 incident, including root cause and remediation.
• Status page: status.tonicdesk.com — live uptime, current incidents, scheduled maintenance.
• On-call engineer 24/7 for P1 incidents (defined as: data loss, unauthorised access, or full outage).

We welcome reports from security researchers. Email security@tonicdesk.com.

• Acknowledgement: within 24 hours.
• Safe harbour: we will not pursue legal action against researchers acting in good faith.
• Out of scope: social engineering, physical attacks, denial-of-service, third-party services.
• Policy: /.well-known/security.txt (RFC 9116).

• Continuous backups of all production databases.
• Point-in-time restore to any moment in the last 30 days.
• RPO (data loss tolerance): 5 minutes.
• RTO (recovery time target): 1 hour.
• DR test: quarterly, with full restore into an isolated environment.

• DPA — Article 28 Data Processing Agreement available on request.
• DSRs — Data Subject Requests (export, correction, deletion) fulfilled within 30 days.
• Self-service export — workspace owners can export contacts, companies, deals, and notes as CSV at any time.
• No sale of data. Ever.
• No training of AI models on your CRM data, by us or any sub-processor.