Trust & Safety

Security

Your money and data are serious business. Here's exactly how we protect them — no vague promises, just specifics.

🔐Encryption

  • All data at rest is encrypted with AES-256.
  • All data in transit is protected by TLS 1.3. We enforce HTTPS site-wide and use HSTS with a long max-age.
  • Database backups are encrypted before leaving our infrastructure.

🛡️Authentication

  • Passwords are hashed using bcrypt with a high work factor — we never store plaintext credentials.
  • Two-factor authentication (2FA) via TOTP is available and recommended for all accounts.
  • Session tokens are cryptographically random and expire after 30 days of inactivity. All sessions can be remotely revoked from your account settings.

💳Payment Security

  • Task Dough is PCI-DSS compliant via certified third-party payment processors.
  • We never store raw card numbers, CVVs, or full bank account details on our servers.
  • Payment data is tokenized at the point of entry and transmitted directly to our processors over encrypted channels.

🤖Fraud Detection

  • Our ML-based anomaly detection system monitors task submissions, withdrawal requests, and login patterns in real time.
  • Flagged accounts are reviewed by our human trust & safety team before any action is taken.
  • We use device fingerprinting and behavioral analysis to detect automation and multi-accounting.

🏗️Infrastructure

  • Task Dough runs on cloud infrastructure with automatic failover, DDoS mitigation, and daily encrypted backups.
  • Access to production systems is restricted to a small team via hardware security keys and zero-trust network policies.
  • We are currently pursuing SOC 2 Type II certification. Updates will be posted here.

🔍 Responsible Disclosure

If you discover a security vulnerability in Task Dough, we ask that you give us the opportunity to fix it before public disclosure.

  • Email your report to [email protected] with a clear description and steps to reproduce.
  • We will acknowledge your report within 48 hours and provide a timeline for remediation.
  • We request a 90-day disclosure window to allow us to patch and deploy a fix.
  • We don't currently offer a paid bug bounty, but we publicly acknowledge researchers who report valid vulnerabilities (with your permission).

Security questions? [email protected]