Security
How we protect your data and your team's work.
All systems operational
Infrastructure
- Hosting — Hetzner Cloud (EU, Germany). All data stays within the European Union.
- Encryption in transit — TLS 1.2+ on all connections (HTTPS enforced via Caddy with automatic certificates).
- Encryption at rest — Secrets vault uses file-level encryption with mode 600 permissions.
- Backups — Automated daily backups with numbered rotation.
Application Security
- Auth — Token-based authentication with scoped API keys per integration.
- Secrets management — Centralized secrets vault with audit logging. No secrets in environment variables or code.
- Input validation — All external inputs are validated and sanitized before processing.
- Sandboxing — Agent executions run within a sandboxed environment with filesystem restrictions.
- Concurrency controls — Advisory locks, rate limits, and timeout caps on all agent operations.
AI & Data Handling
- Prompts sent to LLM providers are minimized for PII. We do not use your data to train models.
- All AI inputs are capped at 500 characters per field in observability pipelines (Langfuse).
- Memory systems (ChromaDB, Graphiti) store only decisions and patterns — never raw secrets or credentials.
Monitoring & Incident Response
- Automated weekly self-heal runs (26 known issue checks with auto-remediation).
- Error handler with global alert system and voting-based triage.
- Audit trail on all secrets access and administrative actions.
EU AI Act & GDPR Compliance
- AI risk classification — TaskZilla is a limited-risk AI system under Regulation (EU) 2024/1523. We meet all Article 50 transparency obligations.
- Data residency — All primary data stored within the EU (Hetzner Cloud, Germany). US-bound AI inference uses Standard Contractual Clauses.
- No training on your data — Your workspace content is never used to train AI models.
- Right to erasure — AI memory systems (ChromaDB, Graphiti) support full data deletion on request, including derived embeddings.
- Human oversight — All AI-generated outputs can be overridden, modified, or disabled by workspace administrators.
Responsible Disclosure
If you discover a security vulnerability, please report it to us via support.taskzilla.ai. We take all reports seriously and will respond within 48 hours. We ask that you give us reasonable time to address the issue before public disclosure.
Questions about our security practices? Contact support.