Security at taskdwell

Our Security Commitment

At taskdwell, security isn't an afterthought—it's built into everything we do. We employ industry-leading security practices to protect your home data, personal information, and documents. Your sensitive information deserves the highest level of protection, and we're committed to delivering it.

What We Don't Do

Trust is built on what we don't do just as much as what we do:

Data Encryption

Encryption in Transit

All data transmitted between your device and our servers is encrypted using:

• TLS 1.3: The latest and most secure transport layer security protocol
• Perfect Forward Secrecy:Each session uses unique encryption keys that can't be compromised even if future keys are leaked
• HSTS: HTTP Strict Transport Security ensures all connections use HTTPS

Encryption at Rest

Your data is encrypted when stored in our databases and file storage:

• AES-256 Encryption: Military-grade encryption for all stored data
• Encrypted Backups: All backups are encrypted with separate keys
• Secure Key Management: Encryption keys are stored separately from data and rotated regularly

Authentication & Access Control

User Authentication

• Enterprise-Grade Auth: Powered by Clerk, a trusted authentication platform used by thousands of companies
• Secure Password Hashing: Passwords are hashed using bcrypt with individual salts—we never store passwords in plain text
• Multi-Factor Authentication (MFA): Optional 2FA support for added account security
• OAuth Support: Secure sign-in with Google and other trusted providers
• Session Management: Automatic session timeout and secure token handling

Access Controls

• Role-based access control (RBAC) for team plans
• Granular permissions system ensuring users only access their own data
• Audit logging of all data access and modifications
• IP whitelisting available for enterprise customers

Infrastructure Security

Hosting & Network

taskdwell is hosted on enterprise-grade cloud infrastructure:

• Vercel: Enterprise deployment platform with automatic DDoS protection and CDN
• Supabase: Secure PostgreSQL database hosting with automatic backups and point-in-time recovery
• Network Isolation: Production environments are isolated from development and testing
• Firewall Protection: Strict firewall rules limit access to necessary ports only
• DDoS Mitigation: Automated protection against distributed denial-of-service attacks

Database Security

• Connection pooling with SSL/TLS encryption
• Prepared statements to prevent SQL injection
• Regular security patches and updates
• Automated daily backups with 30-day retention
• Point-in-time recovery capability

Application Security

Secure Development Practices

• Code Reviews: All code changes are reviewed before deployment
• Automated Testing: Comprehensive test suite runs on every code change
• Dependency Scanning: Automated vulnerability scanning of third-party libraries
• Static Analysis: Code is analyzed for security vulnerabilities before deployment
• Regular Updates: All dependencies are kept up-to-date with security patches

Protection Against Common Attacks

• XSS Prevention: Content Security Policy (CSP) and input sanitization
• CSRF Protection: Token-based CSRF protection on all state-changing requests
• SQL Injection: Parameterized queries and ORM-based data access
• Rate Limiting: API rate limits prevent brute-force and abuse
• Input Validation: All user inputs are validated and sanitized

Monitoring & Incident Response

24/7 Security Monitoring

• Real-time application and infrastructure monitoring
• Automated alerts for suspicious activity and anomalies
• Log aggregation and analysis for security events
• Regular security audits and penetration testing

Incident Response Plan

In the unlikely event of a security incident, we have a comprehensive response plan:

• Detection & Assessment: Automated systems detect and alert our team immediately
• Containment: Affected systems are isolated to prevent further impact
• Investigation: Full forensic analysis to understand scope and root cause
• Remediation: Issues are fixed and patches are deployed immediately
• Communication: Affected users are notified within 72 hours as required by GDPR
• Post-Incident Review: Lessons learned are documented and preventive measures implemented

Data Privacy & Compliance

We comply with major data protection regulations:

• GDPR: Full compliance with EU General Data Protection Regulation
• CCPA: California Consumer Privacy Act compliance
• Data Minimization: We only collect data necessary to provide the service
• Right to Deletion: Users can request complete data deletion at any time
• Data Portability: Export your data in standard formats (CSV, JSON)

For more details, see our Privacy Policy.

Third-Party Services

We carefully select and vet all third-party services we use. All providers meet our strict security requirements:

Backup & Disaster Recovery

• Automated Backups: Daily encrypted backups of all data
• Retention: Backups retained for 30 days
• Redundancy: Data stored across multiple geographic regions
• Point-in-Time Recovery: Ability to restore data to any point in the last 7 days
• Disaster Recovery Plan: Documented procedures for rapid recovery from major incidents
• Regular Testing: Recovery procedures tested quarterly

Responsible Disclosure

We welcome and appreciate security researchers who help us keep taskdwell secure. If you discover a security vulnerability, please report it responsibly:

What We Ask

• Give us reasonable time to investigate and fix the issue before public disclosure
• Do not access, modify, or delete user data without permission
• Do not perform actions that could harm the availability or integrity of our services
• Act in good faith and avoid violating privacy or laws

What We Commit

• Acknowledge your report within 24 hours
• Provide regular updates on our investigation and remediation progress
• Credit you publicly (if desired) once the vulnerability is fixed
• Not pursue legal action against good-faith security researchers

Employee Access & Training

• Background Checks: All employees undergo background verification
• Least Privilege: Employees have access only to data necessary for their role
• Security Training: Mandatory security awareness training for all staff
• NDA Requirements: All employees sign confidentiality agreements
• Access Reviews: Quarterly reviews of employee access permissions
• Offboarding: Immediate access revocation when employees leave

Physical Security

While taskdwell is a cloud-native application, our infrastructure providers maintain strict physical security:

• Data centers with 24/7 surveillance and security personnel
• Multi-factor access controls for data center entry
• Biometric authentication for sensitive areas
• Environmental controls (fire suppression, climate control, UPS backup power)
• Regular security audits of physical facilities

Questions About Security?

We're committed to transparency about our security practices. If you have questions or concerns:

Security FAQ