Krokanti Tasks
Help Center
security

Privacy and Data Security

How Krokanti Tasks protects your data. Encryption, authentication, audit logs, data retention, and GDPR compliance.

3 min read·Krokanti Tasks Help

Krokanti Tasks is built with security as a default, not an afterthought. Here's what we do to protect your data.

Data Encryption

In transit: All data between your browser and our servers is encrypted via TLS 1.3. We enforce HTTPS everywhere — no HTTP fallback.

At rest: Your data is stored in Neon Postgres (serverless PostgreSQL), hosted on AWS infrastructure with AES-256 encryption at rest.

Passwords: User passwords are hashed with bcrypt before storage. We never store or log plaintext passwords.

Authentication Security

  • Email + password signup uses bcrypt with a high cost factor
  • Google OAuth uses OAuth 2.0 — we never see your Google password
  • Two-factor authentication (TOTP): Enable in Settings → Security. Works with any TOTP authenticator app (Google Authenticator, Authy, 1Password, etc.)
  • Session tokens are short-lived JWT tokens. Sessions expire when you sign out or after inactivity.

We strongly recommend enabling two-factor authentication. It protects your account even if your password is compromised.

Audit Log

Every significant action on your account is recorded in an audit log:

  • Sign-ins and sign-outs
  • Password changes
  • 2FA enable/disable
  • Team member invites and role changes
  • Billing changes
  • API token creation and usage

The audit log is accessible by account owners and helps detect suspicious activity.

API Tokens

API tokens (kt_ prefix) are:

  • Generated with 40 random hex characters (cryptographically secure)
  • Stored as SHA-256 hashes — the raw token is only shown once at creation
  • Rate-limited to 100 requests per minute
  • Revocable at any time from Settings → Security → API Tokens

Treat API tokens like passwords. If a token is exposed, revoke it immediately and generate a new one.

Data Retention

  • Active accounts: Data is retained indefinitely while your account is active
  • Deleted accounts: Soft-deleted immediately; permanently deleted after 30 days
  • Deleted tasks: Deleted immediately (no trash/recovery)

GDPR

If you're in the EU or EEA:

  • You have the right to access your data (contact support)
  • You have the right to delete your account (Settings → Data → Delete account)
  • We don't sell your data to third parties
  • Our data processor (Neon) is SOC 2 Type II compliant

Responsible Disclosure

Found a security vulnerability? Please email security@krokanti.com directly. We respond within 24 hours and credit researchers in our changelog.

Do not open public GitHub issues for security vulnerabilities.

Start organizing your tasks today

Free forever. No credit card required. Works on any device.

Create your free account →

Was this article helpful?

Can't find what you're looking for? Contact support