Keycloak SSO, end-to-end
Sign-in is brokered by a hardened Keycloak instance. SAML, OIDC, social, and per-realm theming. Reqdesk never sees your password — only the bearer token your browser presents to the API.
A short list of things we take seriously.
We are a small team running a system that other teams depend on. The list below is the one we rehearse when a security questionnaire arrives. It is not exhaustive, and it is not marketing.
TLS on every public surface
Caddy terminates TLS in front of every public hostname (reqdesk.support, app, api, cdn, auth). HSTS preloaded. CSP locked to first-party plus Cloudflare Turnstile and Google Fonts.
RBAC + per-workspace isolation
Every API call carries a workspace context and a role (owner / agent / member / customer). Cross-workspace access is impossible by construction — the query layer cannot return rows from a workspace you are not a member of.
Encrypted, single-region
Application data — tickets, replies, attachments, audit log — is encrypted at rest in a single hosting region. Backups are encrypted and stay in the same region. Operational telemetry is stripped of message bodies.
An audit log on every change
Tickets, replies, member changes, project settings, automations, webhooks — every change is a row in an append-only audit log keyed by actor, target, and outcome. Workspace owners can export their own audit log at any time.
No card data on our side
Subscription billing is brokered by Moyasar (PCI-DSS Level 1). Reqdesk only stores a tokenised customer reference. No card numbers, expiry dates, or CVVs ever touch our database.
Need a security questionnaire answered, a counter-signed DPA, or a control verified in writing? Email security@reqdesk.support or talk to sales. We answer in plain language, not boilerplate.