Trust & Security

This page is maintained by TaskAssist, Inc. to answer common security and privacy questions about the TaskAssist platform. It describes controls and practices that are enabled today and is updated as the product evolves. It is not a certification or an independent audit, and nothing on this page should be read as a regulatory compliance attestation.

Security is a shared responsibility. TaskAssist is responsible for the platform described below; customers are responsible for the content they upload, the access they grant within their workspace, and how their end users interact with bots they deploy.

• Customer accounts are authenticated with email/password and Google sign-in. Passwords are hashed and managed by our authentication provider.
• Data is partitioned by workspace. Row-level security policies enforce that users can only read and write records belonging to a workspace they are a member of.
• Workspaces have role-based permissions (owner, admin, member). Sensitive actions such as managing webhook signing secrets, billing, and team roles are restricted to owners and admins.
• Billing identifiers (Stripe customer and subscription IDs) are not readable by client applications and are accessible only to privileged server code.

• Data in transit is protected with TLS. Data at rest is stored in our managed Postgres database and object storage provided by Supabase.
• Webhook payloads sent from TaskAssist are signed with a per-endpoint secret so receiving systems can verify authenticity.
• API keys and integration secrets are stored as server-side secrets and are never returned to the browser.
• Customer-uploaded knowledge sources, conversations, and leads belong to the customer and are only used to operate the Service for that workspace.

TaskAssist relies on the following subprocessors to operate the Service:

• Supabase — managed Postgres database, authentication, and object storage.
• Cloudflare — application hosting, edge runtime, and CDN.
• Stripe — subscription billing and payment processing. TaskAssist does not store full payment card numbers.
• OpenAI and the Lovable AI Gateway — large-language-model inference used to power bot replies and summaries.
• Brevo — transactional email delivery (account, billing, and contact notifications).
• Vapi — voice/telephony for voice-mode bots, where enabled by the customer.

Customers may additionally connect their own integrations (for example, messaging or CRM providers). Those integrations are governed by the third party’s terms.

How we collect, use, and share personal data — including how to exercise access, correction, and deletion rights — is described in our Privacy Policy. Cookie use is described in our Cookie Policy. Contractual terms are set out in our Terms of Service.

• The platform runs on managed, automatically backed-up infrastructure with redundant compute at the edge.
• We separate production and test billing environments so test transactions never affect live customer subscriptions.
• Per-workspace rate limits protect the platform and individual customers from abusive traffic.

If you believe you have found a security vulnerability or suspect that an account has been compromised, please contact us at security@taskassist.ai. We ask that researchers give us a reasonable opportunity to investigate and remediate before any public disclosure, and that testing be limited to accounts and data you own.

We update this page as controls and subprocessors change. The “Last updated” date above reflects the most recent revision. For questions about anything described here, contact security@taskassist.ai.