Built on AWS, hardened by default.

We treat security as a feature, not a checkbox. This page walks through how we isolate sessions, store secrets, and audit access. If you're evaluating us for sensitive workloads, get in touch — we're happy to answer specifics.

Account security

• Google OAuth only. We never store passwords for your DeskBoot account. Your Google account's 2FA and breach-detection are inherited automatically.
• Phone verification. Required for free-credit redemption and as a recovery channel. SMS via AWS SNS.
• Audit trail. Every signup, login, payment, session lifecycle event, password view, and admin action is logged.
• Sessions auto-expire on Google session expiry. Sign out kills your dashboard session immediately.

Session isolation

• Unique keypair per session. AWS-generated, then we store the private key encrypted with KMS. Never shared across sessions or users. Deleted from AWS when the session terminates.
• Unique security group per session. Open ports default to RDP (3389) and SSH (22 for Linux). No inter-session traffic — your session can't see other customers' sessions even within the same VPC.
• Unique admin password. Windows: AWS generates an initial password, we discard it and rotate to a fresh 28-char random via SSM Run Command before the user sees anything. Linux: we generate a passphrase per session.
• Encrypted EBS volumes. All session disks are encrypted at rest by AWS with account-managed keys.
• IMDSv2 only. Instance metadata service requires a session token — protects against SSRF-style metadata exfiltration.

Secrets at rest

Sensitive material we have to keep is encrypted with an AWS KMS key dedicated to DeskBoot:

• SSH private keys (PEM-encoded RSA 2048)
• Windows admin passwords (after our rotation)
• Paystack authorization codes for saved cards

Postgres itself is encrypted at rest (AWS RDS storage encryption). Backups are encrypted. Database access is restricted to the application's VPC.

Credential delivery

• Passwords are view-once in the dashboard. The page records each reveal in your audit log.
• We never email passwords or SSH keys. Notification emails ("your session is ready") only contain a link back to the dashboard.
• SSH private keys are downloaded over HTTPS from the dashboard, gated by your authenticated session.

Payments

• Paystack PCI DSS Level 1. Card details never touch our servers — we only see a reusable token (the "authorization code") which is itself KMS-encrypted at rest.
• Webhook signing. Every Paystack event is HMAC-verified before we trust it.
• Card-fingerprint dedup across users for fraud detection on the free credit.

Network

• Customer sessions live in a dedicated VPC (10.10.0.0/16) separate from the app + database VPC.
• Default firewall rules open only RDP/SSH. Users can add more from the Network rules panel — they own those decisions.
• 0.0.0.0/0 ingress is by design — we can't know your IP up front. Strong rotated credentials carry the load. Restrict to your own IP via a /32 CIDR if you prefer.

Compliance & certifications

We rely on AWS's own certifications (SOC 2, ISO 27001, PCI DSS) for the underlying infrastructure. We're early enough that we don't hold our own attestations yet, but our practices are designed to be auditable when we're ready. For regulated workloads, evaluate accordingly — and email us if you need a custom data-processing agreement.

Reporting a vulnerability

Found a security issue? Email security@deskboot.storewith details and we'll respond within 24 hours. We don't run a paid bounty yet but we credit responsible disclosure publicly (with your permission).