Security

ClicksRocket LLC, operating under the brand Tasken.ai ("Tasken," "we," "our," or "us"), takes the security of customer data and the systems we build seriously. This page describes the security practices that apply to our website, our managed hosting, and the AI systems we deliver to customers.

For privacy commitments, see our Privacy Policy. For acceptable use of Tasken systems, see our Acceptable Use Policy.

In Transit

All connections to tasken.ai and to our managed hosting use HTTPS with modern TLS (1.2 or higher). HTTP traffic is redirected to HTTPS.

At Rest

Data stored within our infrastructure providers is encrypted at rest using provider-managed keys with industry-standard algorithms (typically AES-256). API keys, OAuth tokens, and other secrets used by customer systems are stored in encrypted secret stores, not in plaintext configuration files or source code.

• Least privilege: Employee access to customer data, infrastructure, and source code is granted on a need-to-know basis and reviewed periodically.
• Multi-factor authentication: MFA is required for all administrative accounts, including hosting providers, source control, and infrastructure consoles.
• Strong authentication: SSO or hardware-backed credentials are used where supported.
• Offboarding: Access for departing personnel is revoked promptly as part of our offboarding process.

Tasken runs on reputable cloud and platform providers. Wherever possible, we rely on managed services so that low-level infrastructure security — physical access, network isolation, patching of base images — is handled by providers with their own audited security programs.

Customer systems on Tasken-managed hosting run in logically isolated environments. Customer secrets and credentials are scoped per customer and are not shared across deployments.

• Dependency hygiene: Production dependencies are kept reasonably up to date and reviewed against known-vulnerability advisories.
• Source control: All code lives in version control with peer review for production-bound changes.
• Secrets management: Credentials and API keys are managed through dedicated secret stores or environment-scoped variables, never committed to source.
• Logging: We log application and access events at a level sufficient to investigate security incidents without retaining unnecessary personal data.

We rely on third-party providers for hosting, email, payments, scheduling, AI model access, and similar services. Before integrating a provider that will handle personal data on our behalf, we review their security posture and ensure an appropriate data processing agreement is in place.

A current list of sub-processors is available on request by emailing support@tasken.ai.

We maintain an internal process for identifying, containing, and remediating security incidents. If an incident affects your data, we will notify affected customers without undue delay and, where applicable, within seventy-two (72) hours of becoming aware of the incident — consistent with GDPR Article 33 expectations.

Notifications will include, to the extent then known: the nature of the incident, categories and approximate volume of records involved, likely consequences, and the measures we have taken or propose to take in response.

Tasken designs its security practices to be consistent with established frameworks, including:

• OWASP Application Security Verification Standard (ASVS) guidance.
• OAuth 2.0 security best practices for any system integrating with third-party identity providers.
• Security practices aligned with SOC 2 principles. We do not currently hold a SOC 2 Type II report; we use the framework as a reference rather than a claim of audited compliance.
• Google API Services User Data Policy (including the Limited Use requirements) for customer systems that access Google APIs.

If your organization requires a formal compliance attestation that we do not currently hold, please contact us to discuss your specific requirements.

If you believe you have found a security issue affecting tasken.ai or a Tasken system, please report it to support@tasken.ai with the subject line "Security Report."

We ask that you:

• Provide enough detail to reproduce the issue.
• Avoid accessing, modifying, or destroying data that does not belong to you.
• Give us a reasonable opportunity to investigate and remediate before public disclosure.

We do not currently operate a paid bug-bounty program, but we appreciate responsible disclosure and will acknowledge reports.

Security is a shared responsibility. Customers using Tasken systems are responsible for:

• Protecting their own credentials, API keys, and access tokens.
• Granting Tasken systems only the third-party scopes necessary to perform the workflows they have authorized.
• Reviewing and approving system outputs before relying on them in regulated or high-stakes contexts.
• Complying with our Acceptable Use Policy.

Security questions or reports may be directed to:

ClicksRocket LLC (d/b/a Tasken.ai)
2105 Vista Oeste St. NW Suite E - 1381
Albuquerque, NM 87120
United States
Email: support@tasken.ai