Security & Trust

Your data stays yours.

Enterprise-grade security, PIPEDA compliance, and transparent data practices from day one.

256-bit

AES Encryption

OAuth 2.0

Auth Only

PIPEDA

Compliant

Read-only

API Scopes

North America

Data Residency

DPA| Privacy Policy| Vendor Security

How your data flows

Transparent at every step.

From sign-in to task creation — here is exactly what happens.

Step 01

Connect

OAuth 2.0 sign-in

Step 02

Read metadata

Subject, sender, dates only

Step 03

AI suggests

On our servers, no third parties

Step 04

You approve

Nothing created without you

Security Features

Defense in depth.

Encryption, access control, and infrastructure hardening at every layer.

OAuth-only Auth

We never store passwords. All integrations use OAuth 2.0 with revocable permissions.

TLS 1.2+ in Transit

All data encrypted between your browser and our servers. HSTS enforced.

AES-256 at Rest

Databases encrypted with AES-256. Provider maintains SOC 2 certification.

No Email Body Storage

Only metadata is cached. Full email content stays with your provider.

Role-based Access

Owner, Admin, Member, Viewer roles with granular per-action permissions.

Row-level Isolation

Every query scoped to your workspace. Cross-tenant access is architecturally impossible.

Secure Sessions

JWT with httpOnly, sameSite cookies. Auto-expiry, no client-side JS access.

Security Headers

CSP, HSTS, X-Frame-Options, X-Content-Type-Options on every response.

DDoS Protection

Rate-limited APIs. Deployed on Vercel with edge-level DDoS mitigation.

Input Validation

Server-side validation, parameterized queries, output encoding against XSS.

CSRF Protection

Anti-forgery tokens via NextAuth. X-Frame-Options prevents clickjacking.

Admin Audit Trail

Workspace admins manage access, assign roles, and view activity history.

Integration Security

Minimal read-only scopes.

We request the narrowest permissions possible. Revoke access any time.

Microsoft 365

openidprofileemailUser.ReadMail.ReadCalendars.Read

Read-only. Cannot send emails, modify calendar, or access files.

Google Workspace

gmail.readonlycalendar.readonly

Minimal read-only. Cannot send emails or modify data.

Atlassian

read:jira-workread:confluence-content.all

Read-only access to issues and pages. No write access.

Compliance & Privacy

Built on trust.

PIPEDA-compliant practices, transparent data handling, and your rights respected.

PIPEDA Compliant

Full compliance with Canada's privacy legislation.

No Data Sharing

Never sold, rented, or shared with third parties.

North American Hosting

Processed and stored in US/Canada infrastructure.

DPA Available

Standard Data Processing Agreement for enterprise.

72-hour Breach Notice

Affected users and authorities notified promptly.

Right to Deletion

Full data removal within 30 days of request.

Subprocessors

Third-party services.

All located in North America with industry-standard compliance.

ProviderPurposeLocation

VercelHosting & edge deploymentUS

TursoDatabase (libSQL)US

Microsoft AzureOAuth providerUS / CA

Google CloudOAuth providerUS

Atlassian CloudJira & ConfluenceUS

StripePaymentsUS

Need more detail?

Our team is ready to answer your security questionnaire, provide documentation, or join a call with your IT team.

Contact Security Team security@taskai.ca

Vendor Security Questionnaire Data Processing Agreement Privacy Policy