Screendesk Technical Architecture and Flow Documentation

Introduction

Screendesk's architecture combines secure helpdesk integration, sophisticated recording capabilities, and robust cloud infrastructure to deliver a seamless support experience. This document details the technical flows and security measures that enable secure communication and data handling throughout the platform.

Core Recording Technologies

Screen Recording Workflow

At the heart of Screendesk's functionality lies a sophisticated screen recording system that operates entirely through web browsers. When a support agent initiates a recording request, the system generates a secure short link through our helpdesk integration. This link serves as a secure gateway for end customers to access the recording interface.

The recording process leverages the browser's MediaRecorder API, enabling high-quality screen and audio capture without requiring software installation. This client-side approach significantly enhances security and user adoption by eliminating the need for external applications or plugins. The captured content flows directly through encrypted channels to our web infrastructure, ensuring data security from the moment of capture.

Video Conferencing Integration

Parallel to screen recording, our video conferencing capabilities are powered by Whereby's real-time communication platform. The integration maintains end-to-end security while enabling direct video recordings storage to our S3 infrastructure. This architecture eliminates intermediary storage points, reducing potential security vulnerabilities and ensuring immediate availability of recorded sessions.

Infrastructure Components

Web Service Layer

Our web infrastructure, hosted on Render.com, employs a horizontal scaling approach with multiple web servers operating in parallel. These servers handle incoming requests from both helpdesk integrations and direct recording submissions. A Web Application Firewall (WAF) sits in front of this tier, providing an additional security barrier against potential threats.

The web tier maintains direct connections to our Redis cache system, optimizing performance for frequent operations while ensuring session data remains secure. This caching layer plays a crucial role in managing user sessions and temporary data storage, all while operating within our encrypted environment.

Processing Layer

Background operations are managed by our worker tier, which consists of multiple processing servers designed to handle asynchronous tasks. These workers manage critical operations such as recording processing, storage management, and data cleanup routines. The worker tier maintains secure connections to both our database and S3 storage systems, ensuring that all data transformations occur within our secured infrastructure.

Data Storage Architecture

Our data storage strategy employs a multi-layered approach:

• A PostgreSQL database cluster provides our primary data store, with all data encrypted at rest and point-in-time recovery capabilities enabled

• Amazon S3 storage handles all media content, including screen recordings and video conference recordings

• Regional deployment options (EU/US) ensure compliance with data sovereignty requirements

• Redis provides temporary storage for session management and performance optimization

Security Implementation

Authentication Framework

Access control begins with our comprehensive authentication layer, which supports multiple secure authentication methods:

• SAML 2.0 integration enables enterprise-grade single sign-on capabilities

• SCIM protocols facilitate automated user management

• Multi-factor authentication adds an essential security layer

• Additional security measures for administrative access include IP whitelisting and Google Workspace SSO

Administrative Access Control

Internal system access follows a hierarchical security model:

• Support administrators access the admin dashboard through strong MFA verification

• Engineering administrators require additional security clearance through IP whitelisting and Google Workspace SSO

• CTO-level access includes full infrastructure control with quarterly security reviews

Data Protection Measures

Every aspect of data handling incorporates security measures:

• All communications utilize TLS 1.2+ encryption

• HTTPS-only protocols ensure secure data transmission

• Regional data storage options respect data sovereignty requirements

• Strict data deletion policies ensure complete removal within five days

• Client-side recording eliminates the need for software installation while maintaining security

Operational Flows

Helpdesk Integration Process

Integration with customer helpdesk systems occurs through our dedicated Screendesk application, which establishes secure communications via HTTPS/TLS 1.2+ protocols. This integration enables support agents to initiate recording requests and video calls directly from their familiar helpdesk environment.

Recording Request Flow

1. Support agents trigger recording requests through the helpdesk interface

2. Our system generates secure, validated short links

3. End customers receive and access these links

4. Browser-based recording captures screen and audio content

5. Captured content transmits directly to our web tier

6. Processing occurs in our worker tier

7. Final storage in encrypted S3 buckets

Administrative Operations

Administrative functions follow strictly controlled paths:

• Support operations flow through the admin dashboard

• Cloud service access requires multiple security validations

• Infrastructure modifications undergo careful access control

• All administrative actions are logged and monitored

This architecture ensures secure, efficient operation while maintaining the flexibility needed for customer support interactions. Regular security audits and continuous monitoring maintain the integrity of all system components.

Overview

Screendesk's security architecture represents a sophisticated multi-layered approach to securing communications, data handling, and access control. Our system seamlessly integrates customer-facing components with internal infrastructure while maintaining rigorous security protocols at every interaction point. This documentation outlines the comprehensive security measures that protect our platform, ensuring data integrity and user privacy at all times.

User Types and Access Management

Customer Users

At the customer level, Screendesk implements a carefully structured access system designed to meet diverse user needs while maintaining strict security standards. Support Agents operate through our dedicated application, which is deeply integrated within their existing helpdesk system. This integration enables them to seamlessly initiate video calls, manage screen recordings, and request additional recordings from end customers when needed. The integration layer ensures all these interactions occur within a secure, controlled environment.

Workspace Administrators hold elevated privileges within the system, accessing it through our robust authentication framework that incorporates SAML 2.0 and SCIM protocols. These administrators maintain complete control over their organization's workspace, managing configurations and user access permissions while working within our security framework. Their role is crucial in maintaining organizational security policies while ensuring smooth operation for their teams.

End Customers interact with our system through a streamlined, security-focused interface. When joining video calls through our Whereby integration or providing screen recordings, these users benefit from our end-to-end encryption and secure communication channels. Every interaction is protected by HTTPS/TLS 1.2+ protocols, ensuring data privacy and security throughout the session.

Internal Users and Access Controls

Internal access to Screendesk's systems follows a hierarchical structure with carefully delineated permissions and multiple security layers. Support Administrators access the system through our admin dashboard, protected by strong multi-factor authentication. Their direct connection to the web tier enables effective monitoring and support activities while maintaining system security through strictly defined access parameters.

Engineering Administrators operate under an even more rigorous security framework. Their access requires successful navigation through three distinct security layers: IP whitelisting, Google Workspace SSO, and enhanced MFA protocols. This triple-layer protection ensures that cloud service access remains secure while preventing unauthorized infrastructure modifications.

At the highest level, the CTO position holds comprehensive infrastructure control privileges. This role carries exclusive rights to modify Render.com services, with access undergoing quarterly security reviews to maintain compliance and security standards. The position's elevated access comes with additional responsibility for maintaining system integrity and overseeing security protocols.

Technical Infrastructure

Application Architecture

The Screendesk application infrastructure, hosted on Render.com, employs a sophisticated multi-tier architecture designed for both security and scalability. The Web Tier comprises multiple servers operating in horizontal scaling configuration, allowing for dynamic response to load changes while maintaining consistent security. These servers maintain direct connections to our Redis cache, optimizing performance while operating behind a robust Web Application Firewall.

Our Worker Tier handles background processing through a distributed network of servers, each maintaining secure connections to both our database and S3 storage systems. This tier scales automatically based on workload demands, ensuring consistent performance without compromising security. The separation between web and worker tiers provides an additional layer of security through compartmentalization.

The Database Tier centers around a PostgreSQL implementation with comprehensive security measures. All data remains encrypted at rest, with point-in-time recovery capabilities ensuring data resilience. The database maintains secure connections exclusively with authorized application tiers, preventing unauthorized access while enabling efficient data operations.

Communication Flow

The integration of Screendesk into customer helpdesk systems represents a crucial security junction. Our application establishes secure communications through consistent HTTPS/TLS 1.2+ protocols, creating a trusted channel between customer systems and our authentication layer. This integration ensures seamless operation while maintaining rigorous security standards.

Video conferencing follows a carefully designed security path. When a Support Agent initiates a call, the request flows through our helpdesk integration to Whereby's secure video service. Video recordings move directly to Screendesk's S3 storage, eliminating security vulnerabilities that could arise from intermediate storage. This direct path ensures data integrity while maintaining performance.

Screen recording processes follow similarly secure paths. Transmissions flow directly to S3 storage with encryption both in transit and at rest. Our regional storage system respects customer preferences and data sovereignty requirements, storing data in either EU or US regions as specified.

Security Implementation

Authentication and Encryption

Screendesk's authentication system integrates multiple secure protocols to ensure comprehensive access control. Enterprise customers benefit from SAML 2.0 integration for single sign-on capabilities, while SCIM protocols automate user management securely. Multi-factor authentication adds an essential security layer, with internal users receiving additional protection through Google Workspace SSO integration.

All communications within the system employ TLS 1.2+ encryption, ensuring data privacy during transmission. Our strict HTTPS-only policy combines with Web Application Firewall protection to create a robust security perimeter. For administrative access, IP whitelisting provides an additional security layer, restricting system access to authorized locations only.

Data Management and Compliance

Our data management strategy emphasizes security and sovereignty. Regional deployment options in both EU and US territories allow customers to maintain compliance with local data protection regulations. All recordings stored in our S3 system remain encrypted at rest, with access strictly controlled through our authentication layers.

The platform maintains a strict data deletion policy, implementing true hard deletes with a maximum retention period of five days. This policy ensures that when data deletion is requested, it is completely and verifiably removed from all storage layers. Our comprehensive logging and monitoring systems track all access and changes, maintaining an audit trail while enabling real-time threat detection.

Regular security reviews and quarterly access audits maintain the integrity of our security systems, while continuous WAF monitoring provides protection against emerging threats. This multi-layered approach to security and compliance ensures that Screendesk maintains the highest standards of data protection while providing essential services to our customers.

Welcome to the technical documentation covering Screendesk's architecture and security infrastructure. This space contains detailed information about:

Contents

• System Architecture Diagrams

• Security Protocols

• Infrastructure Overview

• Data Flow Patterns

• Security Measures & Compliance

Documentation Access

All relevant diagrams and technical specifications will be maintained and updated in this space. For the most current architectural decisions and security implementations, please refer to the documentation sections above.

Additional Information

For detailed technical inquiries or specific security-related questions, please contact our CTO:

Adrien adrien@screendesk.io

Note: This documentation is regularly updated to reflect the latest architectural changes and security enhancements.