Security & Privacy
Your Data. Your Server. Your Control.
osTicket Awesome is self-hosted software. Unlike SaaS helpdesks, your ticket data, customer information, attachments, and agent activity never leave your infrastructure. There is no cloud instance to breach, no multi-tenant database shared with other companies, and no third party standing between you and your data.
This page explains exactly what our software communicates with us, what we can and cannot access, and how we handle the limited data that does touch our systems.
What osTicket Awesome Does NOT Do
We believe the most important security disclosures are about what a product doesn’t do. osTicket Awesome:
- Does not transmit helpdesk data. Your tickets, customer records, attachments, agent activity, and internal notes stay in your database on your server. We never see them.
- Collects only aggregate diagnostic data. Your installation sends aggregate counts (agent count, ticket volume, PHP version, etc.) to help us provide support and inform development. No ticket content, customer data, agent names, or personally identifiable information is collected. See our Telemetry Disclosure page for the complete list.
- Phones home once every 24 hours. Your installation contacts osaweso.me for a license status check and a diagnostic report. Both are described below and on our Telemetry Disclosure page.
- Does not include a remote kill switch. If your subscription expires, your helpdesk continues to operate normally. We cannot remotely disable, degrade, or alter your installation.
- Does not require an internet connection to function. Your helpdesk works on an air-gapped network. License validation will fail gracefully, and your system continues to operate.
License Validation: Exactly What Is Transmitted
osTicket Awesome periodically contacts our server to verify your subscription status. Here is the complete data transmitted during a license check:
| Data | Example | Purpose |
|---|---|---|
| License key | OSTA-XXXX-XXXX-XXXX-XXXX | Identifies your subscription |
| Domain name | helpdesk.yourcompany.com | Verifies the installation is on a licensed domain |
| Product identifier | osticket-awesome | Identifies the product |
In addition to the license check, a diagnostic report is sent containing software versions (PHP, MySQL, osTicket Awesome), server environment details, and aggregate usage counts (agents, tickets, departments, forms). All metrics are aggregate counts with no personally identifiable information. For the complete field-by-field breakdown, see our Telemetry Disclosure page.
Staging and development environments (localhost, *.dev, *.test, *.local, *.staging) are whitelisted and do not consume activation slots.
If the license check fails (server unreachable, network error, DNS issue), your helpdesk continues to operate normally. We designed the system to fail open, because your helpdesk’s availability is more important than our license enforcement.
When We Do Have Access to Your Data
There are exactly two scenarios where we may be exposed to data on your server:
1. Support engagements where you provide server credentials.
If you request hands-on support, custom development, or migration assistance, you may provide us with access credentials through our secure intake form. When this happens:
- Credentials are encrypted at rest (AES-256) in our system and automatically purged after 30 days
- Credentials are never transmitted via email
- We access your server only to perform the work you have requested
- We do not copy, retain, or repurpose any data we encounter during the engagement
- We recommend you change all shared credentials after the work is complete
2. Information you share in a support ticket or forum post.
If you include screenshots, error logs, or configuration details in a support request or forum post, that information is stored on our support system or forum. We use it only to help resolve your issue.
Outside of these two scenarios, we have zero access to your helpdesk data.
Our Infrastructure
For transparency, here is how the osaweso.me website itself is secured:
- Encryption in transit. All connections use HTTPS with TLS. There is no unencrypted access.
- SSH access. Our server is accessible only via key-based SSH authentication. Password-based SSH is disabled.
- Email authentication. Our domain is configured with SPF, DKIM (2048-bit), and DMARC to prevent email spoofing.
- Payment processing. Credit card information is handled entirely by our payment processor (Stripe). We do not store, process, or have access to your card details.
- Access control. osTicket Awesome is a solo operation. There are no employees, contractors, or third parties with access to our systems or your account data beyond what is described in our Privacy Policy.
The Self-Hosted Advantage
Many organizations choose self-hosted software specifically for security and compliance reasons. With osTicket Awesome:
- You control data residency. Your data lives wherever you put your server. There is no dependency on a vendor’s data center choices, and no cross-border data transfer concerns.
- You control access. You decide who can access your helpdesk, how they authenticate, and what they can see. No vendor support agent can browse your tickets unless you explicitly invite them.
- You control retention. You decide how long data is kept and when it is deleted. There is no vendor retention policy overriding your own.
- You own your data, full stop. If you cancel your osTicket Awesome subscription, your helpdesk and all its data remain on your server in standard osTicket format. There is no export process, no data liberation request, and no transition period. It is already yours.
Compliance
osTicket Awesome does not hold certifications like SOC 2 or ISO 27001 because we are not a SaaS provider and we do not process or store your helpdesk data. Those certifications are designed for companies that hold your data on their infrastructure.
Your compliance posture (HIPAA, GDPR, PCI-DSS, PIPEDA, or any other framework) is determined by how you configure and secure your own server and osTicket installation. We provide the software; you control the environment.
That said, osTicket Awesome includes features that support your compliance efforts:
- GDPR cookie consent banner built into the client portal
- Two-factor authentication (pre-installed and configured)
- LDAP and OAuth2 integration for centralized identity management
- Audit logging plugin (pre-installed) for tracking administrative actions
- Password policy enforcement to meet organizational security standards
Questions
If you have questions about osTicket Awesome’s security or privacy practices, please contact us:
Red e Technology
d.b.a. osAwesome
Nelson, BC, Canada
info@rede.ca