Security

Last updated May 22, 2026

This page documents how Taskachu secures workspace data and what controls we have in place. It’s written for technical evaluators — security engineers, procurement, and the “before we move our team here” check. We list what we actually do today, not what we plan to do; planned items are called out as such with a target.

1. Data in transit

All connections to taskachu.com and app.taskachu.comare TLS 1.2+. We do not accept plaintext HTTP — the load balancer redirects 80 → 443 unconditionally. HSTS is enabled (max-age=31536000; includeSubDomains).

2. Data at rest

• Database— MongoDB Atlas (M10+ tier) with cloud-provider disk encryption (AES-256). Backups encrypted with the same key envelope.
• File uploads— Amazon S3 with SSE-S3 (AES-256) by default; SSE-KMS available on request for Enterprise.
• Secrets— AWS Secrets Manager. Application secrets are KMS-encrypted, never committed to source control, never logged.
• Integration tokens(Slack, GitHub, Google Drive) — encrypted at rest using a 32-byte application key (AES-256-GCM) before being written to Mongo. Plaintext tokens never leave the encryption boundary.

3. Authentication & access control

• Sign-in— Firebase Authentication backs password, Google, and GitHub OAuth flows. Passwords are hashed and stored by Firebase; we never see plaintext.
• Sessions — JWT in an HttpOnly Secure SameSite=Lax cookie. 7-day rolling expiry.
• Workspace isolation— every API endpoint asserts workspace membership before reading or writing. Workspace-scoped MCP Personal Access Tokens carry the same permissions as the issuing user, and only inside the issuing workspace.
• Account deletion— two-step email-confirmed flow with full cascade across workspaces, boards, cards, documents, files in S3, RAG embeddings, integration tokens, and active Stripe subscriptions. See Settings → Account.

What we don’t have yet

• Two-factor authentication (2FA) — on the roadmap. TOTP first, WebAuthn after.
• SSO (SAML / OIDC)— planned for the Enterprise tier. Open to early-customer feedback on which IdPs to support first — reach out at andrii.nadosha@shally.app.

4. Infrastructure

• Compute — AWS ECS Fargate in eu-west-1. Tasks run as a non-root user inside a minimal Alpine-based image.
• Network— private VPC; database and Redis are only reachable from application subnets. Public traffic terminates at an Application Load Balancer; no service is exposed directly.
• Logging— structured logs to CloudWatch with 30-day retention. We log request IDs, user IDs, and workspace IDs — never tokens, secrets, or document content.
• Deployments— GitHub Actions builds container images and rolls them out via ECS. The main branch is the only deployable branch; no direct prod access.

5. Sub-processors

Taskachu uses these third parties to deliver the service. The full list with purpose and links is mirrored in our Privacy Policy § 4:

• Amazon Web Services — compute, storage, secrets, queueing (eu-west-1)
• MongoDB Atlas — primary application database
• OpenAI — AI features (data sent only when you invoke an AI action)
• Stripe — payment processing
• Resend — transactional email
• Google (Firebase Auth) — authentication flows
• Termly — cookie consent banner (landing pages only)

We notify customers of material sub-processor changes by email at least 30 days before the change takes effect.

6. AI data handling

AI features send only the content you actively pass through them (e.g. a card’s title + description for decomposition, or your search query for Ask Taskachu) to OpenAI’s APIfor processing. Per OpenAI’s API terms, this content is not used to train their models. Outputs are stored back in your workspace; nothing is shared across workspaces or with other customers.

7. Vulnerability disclosure

If you discover a security vulnerability, please report it privately to andrii.nadosha@shally.app before public disclosure. We commit to:

• Acknowledge within 48 hours of your report.
• Initial triage within 5 business days with a severity estimate.
• Keep you updated as the fix progresses, and credit you (if desired) in the changelog entry once it ships.

We don’t currently run a paid bug-bounty programme, but we’ll happily send swag and a thank-you for any reproduced finding.

8. Incident response

In the event of a security incident affecting customer data, we will:

• Notify affected customers without undue delay (target: within 72 hours of confirmed scope).
• Provide a public post-mortem with timeline, impact, and remediation steps.
• Cooperate with regulators where required (e.g. GDPR Article 33 notifications).

9. Compliance roadmap

Honest snapshot of where we are with formal certifications:

• GDPR— in scope. DPA available on request at andrii.nadosha@shally.app or via the standalone DPA page.
• SOC 2 Type II— not yet certified. On the roadmap once we have a team of three to run the controls. If you need SOC 2 today, we’ll talk you through compensating controls.
• ISO 27001— not yet certified. Follows after SOC 2 in our sequence.
• HIPAA / FedRAMP— not in scope for the current product surface.

10. Questions?

Drop us a line at andrii.nadosha@shally.app. If you’re evaluating Taskachu for a team-of-10+ and need questions answered before signing, ask — we reply within one business day.