Security

Security you can trust

Disqua is built with security at every layer — from EU data residency and TLS 1.3 encryption to enterprise SSO and end-to-end audit logs.

🇪🇺

EU Hosted

All data stored in EU data centres

GDPR-aligned

EU-hosted; DPA available for all plans

TLS 1.3

All connections encrypted in transit

99.9% SLA

Uptime guarantee for Business plans

Authentication & Access

Enterprise-grade identity and access management

From TOTP two-factor authentication to SAML SSO with major identity providers, Disqua gives your IT team the controls they need.

  • TOTP Two-Factor Authentication

    Works with Google Authenticator, Authy, and any TOTP app. Backup codes for account recovery.

  • SAML SSO — Business & Enterprise

    Okta, Azure Active Directory, Google Workspace, OneLogin, and any SAML 2.0 identity provider.

  • OAuth SSO

    Login with Google or GitHub on all plans. Restrict workspace to a specific email domain.

  • IP Allowlist — Business & Enterprise

    Restrict workspace access to specific IP addresses or CIDR ranges. Block access from outside your corporate network.

  • Session Management

    View all active sessions with device, browser, and location. Revoke any session instantly. JWT access tokens expire in 15 minutes.

Security Standards

GDPR

EU Regulation 2016/679

TLS 1.3

Encryption in transit

AES-256

Encryption at rest

bcrypt

12 rounds, passwords

OWASP

Top 10 protection

HSTS

max-age 63072000

CSP

Content Security Policy

2FA

TOTP + backup codes

Data Protection

Your data, protected by design

We don't sell your data. We don't mine it. We make it easy to export or delete at any time.

Encryption at rest

All data stored on our servers is encrypted using AES-256. Database backups are encrypted before transfer.

EU data residency

All data is stored and processed within the European Union. We never transfer your data outside the EU without your explicit consent.

GDPR data export

Export all your workspace data at any time in JSON format. Right to erasure — delete your account and all associated data permanently.

Data Processing Agreement

A GDPR-compliant DPA is available to all customers (including Free). Covers sub-processors, data breach notifications, and audit rights.

Breach notification

We notify affected customers within 72 hours of discovering a data breach, in line with GDPR Article 33 requirements.

Audit log — Business+

Full audit trail of who did what, when, and from where. Filter by user, action, date range. Exportable for compliance reporting.

Infrastructure

Hardened from the ground up

Our infrastructure is designed with defence in depth — multiple layers of security from network edge to application code.

1

Apache2 + mod_security

Web Application Firewall at the reverse proxy layer. OWASP Core Rule Set enabled. Rate limiting per IP and per token.

2

Fail2ban + ufw firewall

Brute force protection on all auth endpoints. Automatic IP banning after repeated failed attempts. Strict inbound firewall rules.

3

Redis sliding window rate limits

Per-user and per-endpoint rate limiting. WebSocket rate limiting per connection. Protects against abuse and credential stuffing.

4

Sürekli güvenlik testi

Tüm stack genelinde otomatik güvenlik açığı ve bağımlılık taraması ile OWASP Top 10 sıkılaştırması. Bağımsız üçüncü taraf güvenlik incelemeleri, talep üzerine NDA kapsamında Enterprise müşterilerine sunulur.

Responsible Disclosure

Found a vulnerability? Tell us.

We take security reports seriously. If you've discovered a potential security issue in Disqua, we want to hear from you.

Response time

We acknowledge all reports within 48 hours and provide a resolution timeline.

PGP key

Available on request for encrypted communication. Fingerprint shared on first contact.

Hall of fame

Researchers who responsibly disclose valid vulnerabilities are credited publicly (with permission).

Please note: Do not test against production customer data. Use your own test account. We do not authorise any testing that could impact other users.

EU & GDPR

Built for European teams

Disqua is operated from the EU, with GDPR-aligned processing and the paperwork European companies actually need.

🇪🇺

EU hosting

Production infrastructure runs in EU data centers. Your messages, files and helpdesk tickets are stored and processed in the European Union.

GDPR-aligned, DPA available

Data processing follows GDPR principles, and a Data Processing Agreement is available for your compliance records.

Read the DPA →

Processing transparency

Our privacy policy and DPA describe what data we process, why, and which sub-processors are involved — no guesswork for your DPO.

Ticket translation via DeepL

Helpdesk tickets can be translated per message or per thread via DeepL, so agents can support customers across European languages without leaving the ticket.

Invoices with EU VAT support

Billing supports EU VAT IDs and issues invoices with a proper VAT breakdown, so your finance team gets documents they can actually file.

Have security questions?

Our security team is happy to answer questions from enterprise prospects, answer compliance questionnaires, and provide documentation.

Contact security team Download DPA →

Read more about how Disqua handles your data and where it's hosted:

GDPR & EU hosting Data Processing Agreement Privacy policy Helpdesk
Start free