Deskte is a U.S. CRM operated by DALCERSERVICES LLC, a Florida-registered Limited Liability Company. Below is a current snapshot of how we secure your data, where it lives, and what compliance commitments we sign. Updated 2026-05-11.
Every PHI field (SSN, spouse SSN, per-dependent SSN, payment card numbers, bank account numbers) is encrypted at the application layer with AES-256-GCM before reaching Postgres. The encryption key is stored in Azure Key Vault and never exposed to the application logs.
The marketing site, CRM app, and API endpoints all enforce HTTPS with HSTS and modern cipher suites. HTTP requests are redirected to HTTPS at the edge.
Every API request resolves to a single agency and a role (Agency Owner / Agent / Solo Agent / Seat). HIPAA Minimum Necessary is enforced via per-seat permissions configurable by the supervising agent. Agents only see their own clients unless their role explicitly grants more.
Sign-in is delegated to Microsoft Entra External ID, so customers benefit from Microsoft's MFA, conditional access, and risk-based detections. Revealing PHI (e.g. an SSN) requires an additional 6-digit PIN gate, separate from the login password. Single-active-session enforcement evicts older devices within 10 seconds.
Every PHI access (view, decrypt, reveal, export) plus every administrative action (login, role change, suspension) writes a row to ActivityLog. The table is enforced append-only at the database level — UPDATE is rejected. Records are retained at least 6 years per HIPAA §164.530(j)(2).
Every email send (single message + mass campaign) is scanned for SSN / DOB / medical-label patterns. Detected PHI triggers a confirmation modal; sends with override are audit-logged as email.phi_override per HIPAA §164.312(b).
Auth, lead-capture forms, client portal, signature portal, quote/invoice landing, document upload portal, and tracking pixels all have per-IP rate limits. Write actions on token-protected pages get a tighter cap (10/min) than reads (60/min) to deter brute-force token guessing.
Strict-Transport-Security (1 year + subdomains), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Cross-Origin Resource Policy: cross-origin (CRM ↔ API).
| Component | Provider | Region | Compliance |
|---|---|---|---|
| API server | Azure Container Apps | East US 2 | HIPAA-eligible |
| Database | Azure Database for PostgreSQL Flexible Server | East US 2 | HIPAA-eligible |
| Object storage | Azure Blob Storage | East US 2 | HIPAA-eligible |
| Secrets / Keys | Azure Key Vault | East US 2 | HIPAA-eligible |
| Identity provider | Microsoft Entra External ID | Global | HIPAA-eligible |
| Transactional email | Azure Communication Services | U.S. | HIPAA-eligible |
| Payments | Stripe | U.S. | PCI-DSS Level 1 |
| Marketing / CRM web | Azure Static Web Apps | East US 2 | Static assets |
All Azure resources run inside our Florida-owned subscription with audit logging enabled. We do not transfer PHI outside the United States.
We sign a Business Associate Agreement with every customer that processes Protected Health Information through Deskte. The standard form is published at /legal/baa/.
Standard Data Processing Agreement for customers in scope of GDPR. Published at /legal/dpa/. Standard Contractual Clauses included.
Documented operational policy describing how we enforce CAN-SPAM Act, TCPA, and Florida Mini-TCPA on outbound communications. Available in our legal pack.
Readiness work begins after Enterprise tier launches. Targeted observation window begins Q4 2026 with Type II report expected mid-2027.
External penetration test scheduled before the Enterprise tier opens publicly. Test results are shared under NDA on request.
DMCA notice + counter-notice process documented at /legal/dmca/. Designated agent: compliance@deskte.com.
Customers may report a suspected incident to security@deskte.com (with cc compliance@deskte.com) — we monitor that inbox and follow the same triage SLA.
If you find a vulnerability, please report it to security@deskte.com. We do not currently run a paid bug-bounty program but we acknowledge serious reports publicly on this page (with the reporter's permission) and respond on the following timeline:
Please do not exfiltrate customer data, run intrusive scans against production, or test denial-of-service. Stick to your own test agency. Good-faith research is not pursued legally.