Security at Task

Encryption

All Customer Data is encrypted in transit and at rest.

• In transit: TLS 1.2 or higher for all client and server-to-server communication.
• At rest: AES-256 encryption applied at the storage layer by Google Cloud Platform.

Identity and access control

• Multi-factor authentication is enforced for all platform users.
• Role-based access control scopes user permissions to the minimum required for their function.
• Session timeouts automatically end inactive sessions.
• Internal personnel access to Customer Data is limited to the minimum necessary to provide and support the Services and is subject to confidentiality obligations.

Tenant isolation

Task is a multi-tenant platform. Customer Data is logically isolated and scoped to the Customer organization at the application authorization layer. Customer Data does not cross tenant boundaries.

Data residency and hosting

Task is hosted on Google Cloud Platform. Customer Data is stored in Google Cloud's us-central1 region (Iowa, United States).

Network controls

• Backend services run in a managed cloud environment with private networking.
• Ingress is restricted to defined entry points behind a managed application load balancer.
• Perimeter and edge controls are managed in line with Google Cloud Platform's standard infrastructure protections.

Backups and recovery

Incident response

• Task notifies affected Customers of any Security Incident within 72 hours of confirmation.
• Incident handling procedures cover triage, containment, eradication, recovery, and post-incident review.
• Post-incident summaries are shared with affected Customers as part of the notification process.

Vulnerability management

• Automated dependency scanning runs in CI/CD on every change to the codebase.
• Identified vulnerabilities are triaged and remediated on a risk-prioritized cadence.
• Container images and infrastructure templates are reviewed and rebuilt on a regular cadence to incorporate upstream security updates.

Audit logging

Task maintains application and audit logs to support security monitoring and operational investigation. Sensitive fields are redacted from log records before they are written to log storage.

Sub-processors

Task engages a limited set of sub-processors to deliver the Services. The current sub-processor list, including processing purposes, locations, and links to each sub-processor's published data processing terms, is available at taskeng.ai/subprocessors.

Customers receive thirty (30) days' written notice before Task engages a new sub-processor that will process Customer Data, with the right to object on reasonable data protection grounds.

AI provider commitments

Task uses third-party foundation models from Anthropic, OpenAI, and Google to deliver AI-assisted features. These providers operate under enterprise API agreements that prohibit them from using Customer Data to train their models.

Task itself does not train, fine-tune, or develop foundation models on Customer Data.

Data retention

• Customer Data is retained for the duration of the active subscription.
• Following termination of services, Customers have a 60-day window to retrieve their data.
• Task deletes Customer Data within 30 days after the retrieval period ends.
• Customers may request earlier deletion in writing.

Compliance

Task is building toward SOC 2 Type II as part of its broader compliance program. The platform operates under contractual privacy and security obligations defined in our Master Service Agreement and Data Processing Addendum, including controller-processor framing, Standard Contractual Clauses for cross-border transfers, and prohibitions on use of Customer Data for AI model training.

For specific compliance documentation requests, including a current security questionnaire response, please contact security@taskeng.ai.

Contact

Security inquiries: security@taskeng.ai

To report a suspected vulnerability, please email security@taskeng.ai with reproduction steps. Task does not currently operate a public bug bounty program.