How It Works

AirDesk Technology
& Data Security

A plain-English guide to the technology behind AirDesk — what it is, how it works, and how we keep your data safe.

Data hosted in London, UK Last updated: April 2026
Encrypted
All data scrambled & locked
Isolated
Each agency's data is separate
UK Hosted
Core data stored in London
24/7
Automatic monitoring

The Big Picture

When you use AirDesk, your data passes through several layers of protection before it reaches our systems. Here's the journey, step by step:

Step 1
Your Browser
You log in
Step 2
Cloudflare
Security guard
Step 3
Web Server
Handles your request
Step 4
Application
The AirDesk software
Step 5
Database
Your data (locked away)
Think of it like this
Imagine a high-security office building. Cloudflare is the front gate security — checking IDs and turning away troublemakers before they even reach the door. The web server is the reception desk — it directs you to the right place. The application is the staff who do the work. And the database is a locked filing cabinet in a restricted room that only authorised staff can access.

Where Your Data Lives

AirDesk is hosted on Amazon Web Services (AWS) — the same cloud platform used by the NHS, the BBC, and most major banks. We use their London data centre, so all your core data (databases, files, documents) is stored in the UK. Some optional AI features send data to US-based providers — see the AI Features section for full details.

What is "the cloud"?

Rather than buying and maintaining our own physical servers (expensive, and they can break), we rent computing power from Amazon. They maintain enormous, highly secure data centres with 24/7 physical security, fire suppression, backup power generators, and redundant internet connections. We get all of that security and reliability without having to build it ourselves.

AWS = Amazon Web Services. The world's largest cloud computing provider. Think of it as renting space in someone else's extremely well-guarded building rather than building your own.

The Server (Where AirDesk Runs)

AirDesk runs on a virtual server inside AWS. Some key things about it:

  • No passwords to get in — there are literally no login credentials for the server. Access is only possible through a special Amazon tool that logs every single action. Nobody can sneak in unnoticed.
  • Hard drive is encrypted — even if someone physically stole the hard drive from Amazon's data centre, the data on it would be unreadable scrambled nonsense without our encryption key.
  • The software runs in containers — think of these like sealed boxes. The application runs inside its own box, isolated from everything else. If something went wrong, it can't spread.
Encryption = scrambling data so it's unreadable without the right key. Like writing a letter in a secret code that only you and the recipient know.

The Database (Where Your Data is Stored)

Your candidate records, bookings, timesheets, and documents are stored in a managed database. Here's why that matters:

  • Completely hidden from the internet — the database sits in a private area of our network. There is no way to reach it from the outside world. Only our application can talk to it.
  • All connections are encrypted — even the internal connection between our application and the database is encrypted, so data can't be intercepted in transit.
  • Continuous backups with point-in-time recovery — the database is backed up continuously, not just once a day. We can restore your data to any specific minute within the last 30 days. If something went wrong at 10:47am, we can roll back to 10:46am. Beyond that, weekly backups are retained for one year.
  • Protected against accidental deletion — deletion protection is switched on. Even we can't accidentally delete the database without going through multiple safety checks first.
Think of it like this
The database is like a bank vault inside a building with no public entrance. The only way in is through a private corridor from our application — and even that corridor has security cameras and locked doors.

File Storage (Documents, CVs, etc.)

Uploaded files (like CVs, DBS certificates, and compliance documents) are stored in Amazon S3 — a file storage service designed to never lose data.

  • No files are publicly accessible — every possible type of public access is blocked
  • All files are encrypted — stored in scrambled form, unreadable without our keys
  • Version history — if a file is accidentally overwritten, we can retrieve the previous version
  • Access logging — every file access is recorded for audit purposes

Passwords and Secret Keys

Every system needs passwords and secret keys to operate — database passwords, encryption keys, API keys for email services, and so on. We never store these in our code or in files. Instead, they're kept in AWS Secrets Manager — a purpose-built digital vault.

  • Secrets are only loaded into memory when the application starts up — they're never written to disk on the server
  • Access to secrets is tightly controlled — only the application itself can read them, and every access is logged
  • If a key is compromised, it can be rotated (changed) without any downtime
Secrets Manager = a digital safe for passwords and keys. Rather than hiding the spare key under the doormat (storing passwords in files), we keep them in a proper safe that only the right person can open.
🛡

How We Protect Your Data

Security isn't a single feature — it's built into every layer of the system. Here are the key protections:

🔐
Your data is encrypted everywhere. Whether it's sitting in the database, stored in a file, or travelling between your browser and our servers — it's always scrambled and unreadable to anyone who doesn't have the right keys.

Firewall Protection

Our servers have strict rules about who can connect. Only traffic coming from Cloudflare (our security gateway) is allowed in. Everything else is silently dropped — attackers can't even see the server exists.

Attack Protection

Cloudflare sits in front of our servers and absorbs attacks before they reach us. It blocks things like denial-of-service attacks (where someone floods a website with fake traffic to take it offline) and common hacking techniques.

Encryption Keys

We use a master encryption key managed by Amazon that automatically rotates (changes) every year. This key encrypts the database, the server's hard drive, and sensitive secrets. It can never be exported or copied — and every time it's used, that usage is logged.

No Sneaky Access

There are no SSH keys (traditional server passwords). The only way to access the server is through Amazon's Systems Manager, which records a complete log of who did what and when. Every action is auditable.

Application-Level Security

The application itself has built-in protections against common web attacks: form tampering, database injection (tricking the system into running malicious commands), and cross-site scripting (injecting harmful code into web pages).

Full Audit Trail

Network traffic, server activity, database queries, file operations, and user actions are all logged. If something unusual happens, there's a complete record to investigate. Logs are kept for at least 30 days.

Keeping Each Agency's Data Completely Separate

This is one of the most important things to understand about AirDesk. Every agency gets its own completely separate database. Your data doesn't just live in a different section of a shared system — it lives in an entirely different database with its own password.

Your Agency
acme.airdesk.app
You visit your unique web address
AirDesk looks up
Which database is yours?
Maps your address to your database
Your Private Database
Only your data
Separate password, separate storage

Why This Matters

  • Complete separation — your data isn't mixed in with anyone else's. It's not even in the same database. There's no chance of another agency accidentally seeing your candidates or bookings.
  • Different passwords — each agency's database has its own unique login credentials, encrypted and stored securely. Even if one set of credentials were somehow compromised, no other agency would be affected.
  • API tokens are agency-locked — if you use the AirDesk API (for integrations with other systems), your security token is cryptographically tied to your agency. A token from one agency simply won't work on another — the system rejects it instantly.
Think of it like this
Many software platforms are like a shared office where everyone uses the same filing system and trusts partitions to keep things separate. AirDesk is more like giving each agency their own locked office with its own key. Even if someone broke into one office, they'd find a different lock on every other door.

Cloudflare — Our Security Gateway

Before any traffic reaches our servers, it passes through Cloudflare — a global security and performance network used by millions of websites, including many government services.

What Cloudflare Does for AirDesk

  • Blocks attacks automatically — Cloudflare detects and stops malicious traffic (like automated hacking attempts or denial-of-service floods) before it reaches our servers. Think of it as a bouncer at the door.
  • Handles the padlock in your browser — that little padlock icon you see in your browser's address bar? That's the encrypted connection (HTTPS). Cloudflare manages this, ensuring every connection to AirDesk is encrypted with the latest security standards.
  • Speeds things up — static files like images, stylesheets, and scripts are cached (temporarily stored) at Cloudflare's 300+ locations worldwide. This means pages load faster because some content is served from a data centre near you, rather than always coming from London.
  • Hides our server's real address — attackers can't find or directly target our servers because all traffic must go through Cloudflare first. It's like having an unlisted phone number.

How We Update the Software

When we make improvements or fix bugs, the new version of AirDesk goes through an automated process to reach the live system. No human manually copies files or types commands on the server — it's all automated and auditable.

The Update Process, Step by Step

Step What Happens (In Plain English)
1. Code is written A developer writes the new feature or fix and submits it for review on GitHub (a platform for managing code, like Google Docs for software).
2. Code is tested Automated tests run against the new code to check it works correctly and doesn't break anything existing.
3. A package is built The code is bundled into a "container" — a self-contained package that includes everything the application needs to run. This guarantees it works the same way everywhere.
4. Deployed to the server The new package is sent to the server and started up. The old version is replaced seamlessly.
5. Database updated If the update requires database changes (like adding a new field), those changes are applied automatically to every agency's database.
No stored passwords in the deployment system. When our code deployment system needs to talk to Amazon, it uses short-lived, automatically generated credentials that expire almost immediately. There are no long-lived passwords or keys stored in GitHub that could be stolen.

What are GitHub and Terraform?

You might hear us mention these tools:

  • GitHub — where our code lives. It tracks every change ever made, who made it, and why. Think of it as a detailed change log for the entire application. It also runs our automated testing and deployment.
  • Terraform — a tool that defines our entire infrastructure (servers, databases, networking, security rules) as code, stored in the same place as our application code. This means our infrastructure is version-controlled, reviewable, and reproducible. If we needed to rebuild everything from scratch, Terraform could recreate it identically.
  • Docker — the technology we use to package the application into "containers". A container is like a shipping container for software — it holds everything the application needs and works the same way no matter where you put it.
📈

Monitoring — How We Know Something's Wrong

We don't wait for someone to report a problem. Automated alarms monitor the health of the system around the clock and alert us immediately if something looks wrong.

What We Monitor

What We're Watching What Triggers an Alert Why It Matters
Server workload If the server is over 85% busy for 10 minutes Means the system might be struggling — we can upgrade capacity before users notice slowness
Server health If the server fails a health check Catches crashes or hardware issues within 2 minutes
Database workload If the database is over 80% busy for 10 minutes Means queries might be slowing down — we can optimise or upgrade
Database storage If less than 5GB of storage space remains Prevents the database from running out of space (which would stop everything working)
Network traffic All traffic is logged continuously Helps us spot unusual patterns that might indicate an attack or misuse

The Technology We Use

Here's a summary of the key technologies and what role each one plays. You don't need to understand all of these — this is here for reference if you're curious or if a client asks.

Technology What It Does Why We Chose It
AWS (Amazon) Hosts everything — servers, databases, file storage, encryption Industry leader, UK data centres, used by banks and government
Cloudflare Security gateway, attack protection, speeds up page loads Protects millions of websites, handles massive attacks automatically
GitHub Stores our code and automates testing & deployment Industry standard for code management, full audit trail of every change
Terraform Defines our infrastructure as code (servers, networks, security rules) Makes infrastructure reproducible, auditable, and reviewable
Docker Packages the application into portable, isolated containers Consistent deployments, security isolation between components
MySQL (Amazon RDS) The database that stores all your data Reliable, well-understood, managed by Amazon with automatic backups
PHP / Phalcon The programming language and framework that powers AirDesk High performance (Phalcon is one of the fastest PHP frameworks available)
Redis Super-fast temporary storage for caching and background jobs Speeds up page loads by remembering recent results instead of recalculating
SendGrid Sends emails (notifications, confirmations, etc.) Reliable email delivery with tracking and anti-spam compliance
Anthropic (Claude AI) CV parsing, video analysis, summaries, email drafting Leading AI provider; data not used for training, encrypted in transit
OpenAI (Whisper) Converts speech in video interviews to text Industry-standard speech recognition; data not stored or used for training
🤖

AI-Powered Features

AirDesk isn't a recruitment platform with AI bolted on as an afterthought — it's the only recruitment software built with AI at its core. Every feature has been designed from the ground up to use artificial intelligence where it genuinely saves you time: reading CVs in seconds, transcribing and scoring video interviews automatically, drafting emails in context, and surfacing insights that would take hours to compile manually. Here's how it works and how we keep your data safe while doing it.

Which AI Providers We Use

Provider What We Use It For Based In
Anthropic (Claude) CV parsing, video analysis, summaries, email drafting United States
OpenAI (Whisper) Converting video/audio speech into text United States
🔐
Important: AI processing involves sending data outside the UK. When AI features are used, relevant data (such as CV text, video transcripts, or candidate details) is sent to servers operated by Anthropic or OpenAI in the United States for processing. We use enterprise-grade API subscriptions — not the free consumer chat products — which offer significantly enhanced data protection: your data is sent over encrypted connections, used only to generate the response, never used to train AI models, and is not stored permanently. Both providers are SOC 2 Type II certified and offer formal Data Processing Agreements. Your core data (databases, files, documents) always remains in the UK.

What Data is Sent to AI Providers?

Only the data needed for each specific task is sent. Here's what each feature shares:

  • CV parsing — the text content of the uploaded CV (names, qualifications, work history as written on the CV)
  • Video transcription — the audio track from the recorded video interview
  • Video analysis — the written transcript of the interview plus the questions that were asked
  • Email drafting — candidate name, relevant booking details, and context needed to compose the email
  • Relationship summaries — placement history and anonymised feedback (candidate names are replaced with "Candidate A", "Candidate B", etc.)

Safeguards We Have in Place

  • Encrypted in transit — all data sent to AI providers travels over encrypted connections (HTTPS), so it can't be intercepted
  • Not used to train AI models — both Anthropic and OpenAI's business API terms state that customer data sent via their APIs is not used to train their models
  • Not stored permanently — data is processed to generate a response and is not retained long-term by the AI providers
  • Full audit logging — every AI request is logged internally, recording what was sent, when, by whom, and which provider was used
  • AI features are optional — the core platform works without AI. These features are productivity tools, not requirements
  • Anonymisation where possible — for features like relationship summaries, candidate names are replaced with anonymous labels before sending to the AI provider
Think of it like this
Imagine you're dictating a letter to a typist in another room. You tell them what to write, they type it up and hand it back, and then they forget the conversation. They don't keep a copy and they don't share it with anyone else. That's essentially what happens when AirDesk uses AI — we send the minimum information needed, get the result back, and the AI provider moves on.
🛡

Frequently Asked Questions

Common questions about how AirDesk handles your data:

Question Answer
"Where is our data stored?" All core data — your databases, uploaded documents, and files — is stored in Amazon's London data centre and never leaves the UK. When optional AI features are used (like CV parsing or video transcription), the relevant data is sent to US-based AI providers for processing over encrypted connections. It is not stored by those providers.
"Is our data encrypted?" Yes, everywhere. It's encrypted when it's stored (at rest) and when it's moving between your browser and our servers (in transit). Even our internal connections between the application and database are encrypted. Without our keys, the data is just meaningless scrambled text.
"Can other agencies see our data?" Absolutely not. Each agency has a completely separate database with its own unique password. It's not just partitioned — it's physically separate. There is no shared data between agencies.
"What if you get hacked?" We have multiple layers of protection. Cloudflare blocks attacks at the edge. Our servers only accept traffic from Cloudflare. The database is hidden from the internet entirely. Even if an attacker somehow got past all of that, the data is encrypted and each agency's database requires different credentials. We also have a complete audit trail to detect and investigate any unusual activity.
"Do you back up our data?" Yes, continuously. We don't just back up once a day — the database is backed up to the minute using Amazon's point-in-time recovery. We can restore to any specific minute within the last 30 days, and we keep weekly backups for a full year beyond that. Files are also versioned, so accidentally overwritten documents can be recovered.
"Who can access our data?" Only the application itself, running on our secure servers. There are no traditional server passwords — all access is through Amazon's audited management tools, which log every action. We can see exactly who did what and when.
"How do you handle GDPR?" Core data is stored in the UK (London data centre). Each agency's data is isolated in its own database. Access is logged and auditable. Encryption protects data at rest and in transit. The architecture supports data deletion requests because data is cleanly separated per agency. When AI features are used, data is processed by US-based providers under their business API terms, which prohibit using your data for model training. AI processing is optional and can be discussed as part of your data processing agreement.
"Do you use AI? Is that safe?" Yes, we use AI for time-saving features like reading CVs and transcribing video interviews. The AI providers (Anthropic and OpenAI) process data over encrypted connections, don't store it permanently, and don't use it to train their models. All AI usage is logged and auditable. These features are optional — the platform works fully without them.
"What happens if your server goes down?" We have automated monitoring that alerts us within 2 minutes if a server health check fails. The application runs in containers that automatically restart if they crash. Database backups mean we can restore data quickly if needed.
"How do you keep the software up to date?" Updates go through an automated pipeline: code is reviewed, automatically tested, packaged, and deployed. No human manually touches the server. Every change is tracked in version control so we have a complete history of what changed and why.
"What standards is AirDesk built to?" AirDesk is built on the same cloud platform, security practices, and deployment automation used by the NHS, major banks, and global technology companies. Our infrastructure is defined in code, version-controlled, and fully reproducible. We use enterprise-grade AI subscriptions, customer-managed encryption keys, and automated monitoring with 24/7 alerting.
📚

Jargon Buster

Quick definitions for technical terms you might hear:

Term What It Actually Means
AI (Artificial Intelligence) Software that can understand text, speech, and documents in a human-like way. AirDesk uses AI to read CVs, transcribe interviews, and draft emails — tasks that would otherwise take a person a long time.
API A way for two systems to talk to each other automatically. Like a waiter taking orders between you and the kitchen.
Cloud Using someone else's computers (in a data centre) instead of buying your own. You access them over the internet.
Container (Docker) A sealed package that holds the application and everything it needs to run. Like a shipping container — same contents no matter where it goes.
Database An organised store of data, like a huge spreadsheet with millions of rows. Stores all your candidates, bookings, timesheets, etc.
DDoS Attack When attackers flood a website with fake traffic to overwhelm it and take it offline. Cloudflare absorbs these for us.
Encryption Scrambling data so it's unreadable without the right key. Like writing in a code that only you and the recipient understand.
Firewall Rules that control what traffic is allowed in and out. Like a security gate that only lets through people on the guest list.
HTTPS / TLS The padlock in your browser bar. Means the connection between you and the website is encrypted — nobody can eavesdrop.
Infrastructure as Code Defining servers, networks, and security rules in text files rather than clicking buttons in a dashboard. Makes everything repeatable and auditable.
Multi-tenant One system serving multiple customers (agencies). AirDesk keeps each tenant's data in a completely separate database.
VPC (Virtual Private Cloud) A private, isolated section of Amazon's network that only we control. Like having your own floor in a secure building.

AirDesk Technology & Data Security Overview — Confidential

Questions? Contact the AirDesk team.