Skip to main content

Security & Compliance

Last updated: May 4, 2026

At TASKTOGO we take the security of your data seriously. This page summarises the measures we have in place to keep your information safe.

Infrastructure

  • Primary application data is hosted on infrastructure inside the European Union.
  • Some sub-processors (error tracking, push notifications, payments) operate outside the EU under Standard Contractual Clauses - see /subprocessors for the full list.
  • Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher.
  • Regular automated backups are taken and tested.
  • TASKTOGO is not currently ISO 27001 or SOC 2 certified. Our hosting providers maintain their own certifications.

Application Security

  • Passwords are hashed using scrypt with timing-safe comparison.
  • Time-based one-time-password (TOTP) two-factor authentication is available to every user from account settings.
  • Sessions can be reviewed and revoked individually from the security panel.
  • Session tokens are issued as HttpOnly cookies; refresh tokens are rotated on refresh and can be revoked from the Security panel.
  • HTTP security headers (CSP, HSTS, X-Frame-Options, etc.) are set on all responses.
  • Rate limiting is applied to authentication and password-recovery endpoints; broader API throttling is on the roadmap.
  • All API inputs are validated with strict schemas (Zod) before processing.
  • An audit log of administrative actions is available to admins.

Access Controls

  • Production database access is restricted to application service accounts with least-privilege roles.
  • All infrastructure access requires multi-factor authentication.
  • Access logs are retained for 90 days.

GDPR Compliance

  • We act as a data controller under the EU General Data Protection Regulation.
  • You can export all data associated with your account at any time via the account data export endpoint (GET /auth/export-data).
  • You can permanently delete your account and associated data via the account deletion endpoint (DELETE /auth/account).
  • For data-related enquiries, contact support@tasktogo.com.

Vulnerability Disclosure

If you discover a security vulnerability, please report it responsibly to support@tasktogo.com. We aim to acknowledge reports within 2 business days and to resolve confirmed vulnerabilities within 30 days.

Questions

Det 5 Element ApS
Email: support@tasktogo.com

Book demoStart free