At a glance
โ Encrypted in transit (TLS) and at rest (AES-256)
โ Each workspace's data is isolated from every other
โ Passwords hashed with bcrypt โ we can't read them
โ Role-based access control + custom roles
โ Two-factor authentication (2FA)
โ Tamper-evident, hash-chained audit log
โ We never sell your data
โ Export or delete your data at any time
In plain terms: your data is encrypted, kept separate from every other customer, and access to it is restricted and logged. We never sell your data, and we don't look at it except to help you when you ask us to.
Encryption
- In transit โ all traffic to and from TaskInSync uses HTTPS / TLS, enforced with HSTS. Nothing travels over the network unencrypted.
- At rest โ your database is hosted on MongoDB Atlas, where all stored data is encrypted on disk with AES-256 by default.
- Passwords โ hashed with bcrypt before storage. We never store or see your actual password.
- Tokens & keys โ API keys and session tokens are stored as one-way SHA-256 hashes, never in a readable form.
- Sensitive secrets โ your two-factor (2FA) secrets, connected-account tokens (e.g. Google Calendar), and webhook signing secrets are additionally encrypted with AES-256-GCM at the application layer.
Access control & isolation
- Workspace isolation โ every request is scoped to your workspace. One customer can never see or reach another customer's data.
- Role-based access control โ owners, managers, and members get different permissions, and you can define custom roles for fine-grained control.
- Two-factor authentication โ enable TOTP-based 2FA on your account for an extra layer of login security.
- Brute-force protection โ repeated failed logins are rate-limited and temporarily locked out.
- Least-privilege staff access โ access to production systems is limited to essential personnel, and we don't access your workspace data except to provide support at your request.
Auditability
Every significant action in your workspace is recorded in an activity log. The log is tamper-evident โ each entry is cryptographically hash-chained to the one before it, so any attempt to alter or delete history is detectable.
Application & network security
- Strict security headers on every page โ Content-Security-Policy, HSTS, and X-Frame-Options (clickjacking protection).
- Outbound webhooks are protected against SSRF (server-side request forgery) and signed with HMAC-SHA256 so your receivers can verify authenticity.
- Input is validated server-side, and the API enforces per-plan and per-role limits independently of the interface.
Payments
Paid subscriptions are processed by Razorpay, a PCI-DSS-compliant payment provider. Card and banking details are entered directly with Razorpay โ TaskInSync never sees or stores your payment information.
Infrastructure & subprocessors
We build on a small set of trusted, industry-standard providers, each operating under their own data-processing terms:
- MongoDB Atlas โ managed database hosting, encrypted at rest.
- Railway โ application (API) server hosting.
- Firebase / Google Cloud โ frontend hosting and optional Google sign-in.
- Razorpay โ payment processing.
A full, current subprocessors list is available on request.
Your data is yours
- Export โ download your projects and tasks at any time.
- Deletion โ request full deletion of your account and data, and we'll carry it out.
- No selling โ we never sell, rent, or share your data for advertising.
See our Privacy Policy for the full detail on what we collect and why.
Enterprise & compliance
- Single sign-on (SAML) โ available for enterprise customers; contact us to set it up with your identity provider.
- Data Processing Agreement (DPA) โ available on request for business customers.
- DPDP Act 2023 โ we operate in line with the principles of India's Digital Personal Data Protection Act, and we're expanding our compliance posture as we grow.
Responsible disclosure
Found a potential vulnerability? We appreciate your help. Please report it through our contact page with enough detail to reproduce it. We investigate promptly and will not pursue legal action against good-faith security researchers who follow responsible-disclosure practices.
Questions?
If your team has security or compliance questions before signing up, we're happy to answer them. Get in touch โ we usually respond within a few hours.