Your data is safe with Taskly

Infrastructure & hosting

Taskly runs on industry-standard managed cloud infrastructure: our application is hosted on Vercel and our database, authentication and realtime services run on Supabase (managed PostgreSQL). These providers operate on top of major cloud platforms with their own physical and network security controls.

Encryption

• In transit: all traffic is served over HTTPS/TLS. Data moving between your browser, our app, and the database is encrypted.
• At rest: the database and backups are encrypted at rest by our infrastructure providers.

Authentication

• Sign in with Google (OAuth) or email & password.
• Passwords are never stored by us in plain text — they are hashed (bcrypt) by our auth provider. We never see your raw password.
• New email accounts require email confirmation before access, verifying the address belongs to you.
• Sessions use secure, httpOnly cookies.

Workspace isolation (multi-tenancy)

Every team works inside its own workspace, and every record is tagged to a workspace. Isolation is enforced at the database level using PostgreSQL Row-Level Security (RLS) — not just in the interface. In practice this means a query can only ever return rows from workspaces you belong to; one customer's data is never reachable by another.

Access control

Within a workspace, members have roles (Admin or Member). Sensitive actions — managing the workspace, projects, and members — are restricted to admins and enforced both in the app and in database policies.

How Otto (AI) handles your data

• Otto runs server-side and only ever operates inside your workspace, after verifying your membership.
• Otto proposes changes as a reviewable diff — you approve before anything is created or edited.
• To understand your request, the relevant text (your message and a short list of your task titles/statuses) is sent to our AI provider (OpenRouter) for processing and returned as a structured result. We do not sell your data, and Otto cannot act outside your workspace or beyond the limits we enforce (e.g. capped batch sizes).
• Otto has built-in safety guardrails and will refuse harmful or off-topic requests.

Backups & availability

Our managed database provider performs automated backups; availability and point-in-time recovery scale with our hosting plan as we grow.

Subprocessors

We rely on a small set of reputable providers to run Taskly:

• Supabase — database, authentication, realtime.
• Vercel — application hosting.
• OpenRouter — AI model processing for Otto.
• Google — optional OAuth sign-in.
• Resend — transactional email (invitations, notifications), when enabled.

Your data & your rights

Your workspace data belongs to you. You can edit or delete tasks at any time, and you can request export or deletion of your account data by contacting us. See our Privacy Policy for details.

Responsible disclosure

If you believe you've found a security vulnerability, please email security@ottotaskly.com with details. We appreciate responsible disclosure and will work with you to resolve issues promptly.

Transparency

Taskly is an early-stage product moving fast. We don't yet hold formal certifications such as SOC 2 or ISO 27001, and we won't claim otherwise. What we do have are sound fundamentals — database-enforced isolation, encrypted transport, modern authentication, and an AI layer that always acts with your consent — and we're committed to maturing our security program as we grow.