Product features

How to ensure compliance and security from your workspace provider

July 31, 2024

There are a number of reasons that cybersecurity and compliance are important when selecting a workspace provider; data protection, regulatory compliance, reputation management, risk mitigation, and business continuity, to name a few.

However, in the fast moving world of Cybersecurity and Global Compliance it can be difficult to navigate the difference in security between suppliers and understand what it means for your business. To help, we review the leading security accreditations and share the key questions you should ask your on-demand workspace provider. 

ISO: The gold standard in security and compliance 

When starting to review workspace platform suppliers it’s important to consider their certifications and accreditations. Enterprise providers should hold a range of compliance certifications relevant to the markets they serve. It’s important to understand what they are and if they bring value to your businesses Cybersecurity and Global Compliance performance, as not all certifications are created equal.

However, one certification that consistently serves global markets and provides some of the highest levels of security is ISO27001, from the International Organization for Standardization, which verifies a company’s internal systems to ensure they meet international standards. Any organization that holds this accreditation ensures that the flex space supplier you're using is operating to the highest standard.

Desana holds two ISO certifications; the first is ISO 27001, which we hold for our Information Security Management System, and the second is ISO 27701, which we hold for our Privacy Information Management system.

Security and a single market MSA 

Our single market MSA provides access to thousands of workspaces without having to individually review their security terms. All operators on the Desana network sign our industry leading Terms & Conditions and our certifications ensure your data is correctly managed and secure.

As part of the operator onboarding process our team also screen against sanctions, PEPs, watch lists and adverse media checks from the world’s leading data providers, including the Dow Jones and Refinitiv World Check data sets. 

Privacy by Design 

There are a number of ways that organizations can integrate security, such as data protection by default, a risk based approach, or SecDevOps whereby security practices are integrated into the Design and Development process. 

When developing the on-demand network at Desana the decision was made to have a Privacy by Design (PbD) approach. This means that privacy and data protection is integrated into the design of our systems at the start, rather than being considered post creation. The emphasis is on creating processes and developing platforms that are robust enough to prevent issues, rather than relying solely on recovery systems to deal with issues after they arise. In short, PbD focuses on being proactive rather than reactive. 

Data protection by default is commonly paired with a PbD approach. Protection by default ensures that the highest level of data protection is applied automatically without any manual intervention being required. Because on-demand workspace platforms integrate with HRIS platforms, they can sometimes pose a risk for Personally Identifiable Information to be shared unknowingly when data procedures aren’t robust. To reduce this risk, at Desana we ensure that only essential booking information is shared and we leverage certified API integrations as part of our booking process. Data storage is kept to essential information only for bookings, in a pseudo-anonymised form. It is important to check workspace providers and ensure that this is how they manage their bookings when integrating with your systems. 

A final element of PbD is ensuring that there is full lifecycle protection for data. Many organizations focus on data management in terms of onboarding and bookings, but can forget to review data management processes with regards to deletion and the right to be forgotten. As part of your security review process it’s important to ask what happens to data when you’re off-boarded or when employees exit the organization or request their data. 

Security and compliance accreditations

As the market leader for accreditations, you can see a full list below of our certifications to help you to benchmark providers.

ISO 27001 and ISO 27701

ISO 27001 certification provides independent, third-party verification that Desna’s Information Security Management System meets the highest standards of international best practice, as does our Privacy Information Management system for which we hold ISO 27701. Both Certifications are audited by BSI the Global Gold Standard in ISO Accreditation.

Cyber Security Essentials

Cyber Essentials is a UK Government certification that ensures organizations have key controls and mechanisms in place to mitigate the risk from common cyber threats.

Cyber Security Essentials PLUS

Cyber Essentials Plus is the highest level of certification offered under the Cyber Essentials scheme. It provides a rigorous test of an organization’s cyber security controls, including vulnerability testing to make sure an organization is protected against hacking and phishing attacks.

GDPR compliant

As a UK based company working across the EU, multiple assessments and audits have been undertaken to ensure that all data processed and controlled by Desana is fully compliant with both the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (UK-GDPR).

CCPA compliant

Desana also complies with data protection and privacy laws across other jurisdictions, including the California Consumer Privacy Act (CCPA).  Desana does not sell any of our users personally identifiable data. 

PCI-DSS Compliance

All of our payment processes are PCI-DSS Compliant and all payments made to Desana go through our PCI compliant payment partners.

Authentication and SSO 

Desana does not offer password-based authentication. Instead we use OAuth sign-in through most SAML-based SSO compatible providers like Okta, OneLogin, Google and others. All non-SSO authentication is via Magic Link to your corporate email address to ensure you retain control of authentication even without using SSO. 

Vulnerability Disclosure Policy (VDP)

Desana maintains a Public Vulnerability Disclosure Policy (VDP) to incentivize independent security researchers to responsibly disclose vulnerabilities. This program ensures that all independent security researchers have an official route to disclose vulnerabilities. 

Due diligence

By reviewing the accreditations, certifications and internal processes of a workspace provider you can successfully execute due diligence and select a trustworthy partner.

At Desana we hold the highest levels of security and compliance accreditations in the market and undergo regular independent auditing procedures and penetration testing because we value incredibly highly the trust our customers place in us to protect their business. We also vet the safety and security of every single workspace admitted to the platform, so you know your people are protected. Because we've done the heavy lifting, our customers don't have to embark on lengthy and costly due diligence procedures. To ensure these standards are constantly maintained is through our dedicated Head of Security and Compliance, who makes sure that every one of these systems is functioning effectively at all times.

On-demand workspace offers an innovative and efficient new way to deliver high-quality workspace, but it doesn't mean your business has to compromise on security and compliance.