tasks
Security

How the thing is built.

Last updated 2026-05-07

Tasks is a small product with a small surface. That works in your favor, fewer moving parts, fewer places for something to go wrong, fewer subprocessors to vet. Here is the honest map of what we run, what our providers run, and where we’re still tightening.

Transport

Every request goes over HTTPS. We negotiate modern TLS (1.2+), HSTS is on, and we’re in the process of submitting to the HSTS preload list, see the roadmap section below. There are no plaintext fallbacks anywhere in the app.

Authentication

Sign-in, session management, password resets, MFA, and OAuth (Google, GitHub) are all handled by Clerk, which is SOC 2 Type II audited. We never see your password, Clerk does the hashing, the rotation, and the breach detection. Sessions are issued as signed tokens on first-party cookies; logout invalidates them server-side, not just in the browser.

Payments

Stripe handles cards. PCI DSS Level 1. Cards never touch our servers; we hold a customer ID, a brand, a country, and the last four digits, enough to render a billing row. Webhook payloads from Stripe are signature-verified before we act on them.

Hosting

Tasks runs on Vercel , edge network, function execution, build pipeline. Vercel publishes its own security posture; we inherit the perimeter, the DDoS protection, and the infrastructure-level audit work. Our application code is deployed via signed commits from a single GitHub repository.

Data at rest, data in transit

Everything in the database is encrypted at rest by the storage provider. Everything in transit is TLS as noted above. Attachments uploaded into Tasks live behind authenticated URLs, no public bucket, and expire from short-lived signed links a few minutes after issuance. Backups are encrypted with the same discipline as live data and rolled off on a 30-day window.

Webhooks

Inbound webhooks from Clerk are verified with Svix signatures; inbound webhooks from Stripe are verified with the Stripe-Signature header. Unsigned payloads are rejected before they touch any handler logic.

What we don’t do

There is no separate enterprise security tier. There is no SSO upsell, when SSO ships, every workspace gets it at the same price. We don’t partition the free tier behind a weaker security posture than the paid tier; the same encryption, the same audit logs, the same disclosure process applies regardless of what’s on the invoice.

Reporting a vulnerability

If you find something, email hello@signalstudio.ie with Security in the subject. PGP key fingerprint: [NEEDS-REVIEW: publish PGP key fingerprint once generated]. We respond within seventy-two hours, usually faster. We don’t run a paid bug bounty yet, but we credit researchers who report responsibly, by name, with a link, in the changelog and on this page if you want.

Please don’t exfiltrate other users’ data, spam the system, or post the issue publicly before we have a chance to fix it. Standard responsible-disclosure norms apply.

Roadmap

Posture is never finished. The near-term work, in priority order:

  • P0, full Content Security Policy headers across the app (currently in audit).
  • P0, HSTS preload submission once the apex domain stabilizes.
  • P1, automated secrets scanning on every pull request and a retroactive sweep of historical commits.

Security is a process, not a label, the badge on the footer is whatever the last commit deserved.