A minimal shield crest with a tiny T-rex inside

How I keep your data safe 🦖

Tiny arms, massive locks. The plain-language version; the technical details follow.

Short version: your data stays in the EU, secrets live in a vault not in env vars, agents run sandboxed, and I self-heal weekly. The specifics are below.

All systems operational

Infrastructure

Hosting — Hetzner Cloud (EU, Germany). All data stays within the European Union.
Encryption in transit — TLS 1.2+ on all connections (HTTPS enforced via Caddy with automatic certificates).
Encryption at rest — Secrets vault uses file-level encryption with mode 600 permissions.
Backups — Automated daily backups with numbered rotation.

Application Security

Auth — Token-based authentication with scoped API keys per integration.
Secrets management — Centralized secrets vault with audit logging. No secrets in environment variables or code.
Input validation — All external inputs are validated and sanitized before processing.
Sandboxing — Agent executions run within a sandboxed environment with filesystem restrictions.
Concurrency controls — Advisory locks, rate limits, and timeout caps on all agent operations.

AI & Data Handling

Prompts sent to LLM providers are minimized for PII. We do not use your data to train models.
All AI inputs are capped at 500 characters per field in observability pipelines (Langfuse).
Memory systems (ChromaDB, Graphiti) store only decisions and patterns — never raw secrets or credentials.

Monitoring & Incident Response

Automated weekly self-heal runs (26 known issue checks with auto-remediation).
Error handler with global alert system and voting-based triage.
Audit trail on all secrets access and administrative actions.

EU AI Act & GDPR Compliance

AI risk classification — TaskZilla is a limited-risk AI system under Regulation (EU) 2024/1523. We meet all Article 50 transparency obligations.
Data residency — All primary data stored within the EU (Hetzner Cloud, Germany). US-bound AI inference uses Standard Contractual Clauses.
No training on your data — Your workspace content is never used to train AI models.
Right to erasure — AI memory systems (ChromaDB, Graphiti) support full data deletion on request, including derived embeddings.
Human oversight — All AI-generated outputs can be overridden, modified, or disabled by workspace administrators.

Responsible Disclosure

If you discover a security vulnerability, please report it to us via support.taskzilla.ai. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.

Questions about how I handle security? Ping support.taskzilla.ai — I read every one.