The security of your data is a priority for Taskworld. Key security practices for Ongo Audit:
-
Hosting and infrastructure. The Services are hosted by reputable cloud providers whose data centers are physically secured and certified under multiple international standards (e.g. ISO 27001, SOC 1/2/3). The current list of infrastructure and processing sub-processors, including the regions in which they process data, is published on our Sub-processors page.
-
Encryption in transit. All traffic between the App and Taskworld servers is encrypted using TLS 1.2 or higher.
-
Encryption at rest. All data at rest is encrypted using AES-256 via cloud KMS-managed keys, covering the application database, object storage (including photo attachments), block volumes underlying compute workloads, database backups, and operational logs.
-
Authentication. Authorized Users sign in by magic link sent to their work email or by password. Magic-link tokens are valid for 10 minutes. Passwords are stored as salted hashes using PBKDF2-SHA256 with 310,000 iterations and an application-side pepper. Access tokens (RS256 JWT) are valid for 1 hour and refresh tokens for 36 hours.
-
Authorization. Role-based access controls limit what each Authorized User can see and do within a Customer’s tenant. Production access by Taskworld personnel is restricted to the operations team, gated by multi-factor authentication, logged, and read-only by default.
-
Monitoring. System and application logs are reviewed at least weekly to identify errors, anomalies, and signs of abnormal or unauthorized activity.
-
Backups and resilience. Data is backed up regularly and can be restored in the event of a regional incident.
-
Updates and patching. We apply security patches and dependency updates on a regular cadence.
-
Vulnerability handling. We have procedures to investigate and remediate vulnerabilities. To report a security issue, contact security@taskworld.com.
For security-related questions, contact security@taskworld.com.