Vendor Security Questionnaire

Company legal name

TaskAI (operated by Dylan Young)

Company website

https://www.taskai.ca

Where is the company incorporated?

Canada

Primary contact for security inquiries

security@taskai.ca

Number of employees

Early-stage startup

Does the application support Single Sign-On (SSO)?

Yes — OAuth 2.0 SSO via Microsoft Entra ID, Google, and Atlassian. SAML support planned.

Does the application support Multi-Factor Authentication (MFA)?

MFA is enforced by the identity provider (Microsoft, Google). TaskAI delegates authentication entirely via OAuth 2.0.

Does the application store user passwords?

No. TaskAI uses OAuth-only authentication. Passwords are never transmitted to or stored by TaskAI.

Does the application support role-based access control (RBAC)?

Yes. Workspace roles include Owner, Admin, Member, and Viewer with granular permissions.

How are sessions managed?

JWT-based sessions with secure, httpOnly, sameSite cookies. Sessions expire automatically.

Can an administrator revoke user access?

Yes. Workspace admins can remove members immediately. OAuth access can be revoked from the identity provider.

Is data encrypted in transit?

Yes. All data is encrypted using TLS 1.2+ (HTTPS). HSTS is enforced.

Is data encrypted at rest?

Yes. AES-256 encryption at rest via our database provider (Turso/libSQL).

Where is data stored?

Data is stored in Turso edge databases hosted in North America (United States). Application is deployed on Vercel (US).

Does the application store email content?

No. Only email metadata (subject, sender, date, snippet) is cached for task suggestion. Full email bodies remain in the email provider.

Does the application store calendar event content?

Only event titles, times, and attendee names are cached for task creation. Event bodies/notes are not stored.

Is customer data logically separated?

Yes. All database queries are scoped to the authenticated user ID. Row-level data isolation prevents cross-tenant access.

What is the data retention policy?

Data is retained while the account is active. Upon account deletion, all associated data is permanently removed within 30 days.

Is the application protected against SQL injection?

Yes. All database queries use parameterized queries via Drizzle ORM. No raw SQL interpolation.

Is the application protected against XSS?

Yes. React's built-in output encoding prevents XSS. Content Security Policy (CSP) headers are enforced.

Is the application protected against CSRF?

Yes. CSRF protection is built into NextAuth with anti-forgery tokens.

Are security headers implemented?

Yes. CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are all configured.

Is the application rate-limited?

Yes. API endpoints are rate-limited to prevent abuse and brute-force attacks.

Are dependencies scanned for vulnerabilities?

Yes. npm audit is run regularly. Dependencies are kept up to date.

Is there a secure development lifecycle (SDLC)?

Yes. Code reviews on all changes, environment variable protection, and staging environments for testing.

What OAuth scopes are requested for Microsoft 365?

openid, profile, email, User.Read, Mail.Read, Calendars.Read. Read-only access only.

What OAuth scopes are requested for Google Workspace?

gmail.readonly, calendar.readonly. Read-only access only.

What OAuth scopes are requested for Atlassian?

read:jira-work, read:confluence-content.all. Read-only access only.

Can the application send emails or modify data in connected services?

No. All integrations are read-only. TaskAI cannot send emails, modify calendar events, or write to Jira/Confluence.

Can users revoke access?

Yes. Users can revoke OAuth access from their Microsoft, Google, or Atlassian account settings at any time.

Is data shared with third-party AI providers?

No. All AI processing happens locally on our servers. No data is sent to OpenAI, Anthropic, or any external AI service.

Where is the application hosted?

Vercel (serverless edge deployment), with CDN nodes globally and compute in US regions.

Where is the database hosted?

Turso (ChiselStrike) — libSQL/SQLite edge databases hosted in the United States.

Is DDoS protection in place?

Yes. Vercel provides built-in DDoS mitigation at the edge.

Are backups maintained?

Yes. Database backups are maintained by Turso with point-in-time recovery.

Is there a disaster recovery plan?

Yes. Turso provides multi-region replication. Vercel provides automatic failover. Code is version-controlled in GitHub.

Is the application PIPEDA compliant?

Yes. TaskAI complies with Canada's Personal Information Protection and Electronic Documents Act.

Is the application GDPR compliant?

TaskAI follows GDPR principles (data minimization, right to deletion, consent-based processing). Formal GDPR compliance is in progress.

Is a Data Processing Agreement (DPA) available?

Yes. A standard DPA is available at taskai.ca/dpa. Custom DPAs available for enterprise customers.

Is the application SOC 2 certified?

Not yet. SOC 2 Type II certification is on our roadmap. Our infrastructure providers (Vercel, Turso) maintain SOC 2 certification.

Is there a privacy policy?

Yes. Available at taskai.ca/privacy.

Is there an incident response plan?

Yes. Affected users and relevant authorities will be notified within 72 hours of a confirmed breach, as required by PIPEDA.

Does the application share data with third parties?

No. We never sell, rent, or share your data. Data is used solely to provide the TaskAI service.