This Information Security Policy outlines the comprehensive framework of principles, controls, and practices that Airtasks Inc. ("Airtasks") has implemented to protect the confidentiality, integrity, and availability of information. Our commitment is to safeguard the data entrusted to us by our customers and to ensure the resilience of our systems and services against evolving security threats. This policy provides a transparent overview of our security posture and our dedication to maintaining a secure environment for our customers, partners, and employees.
This policy applies to all information assets owned or managed by Airtasks, including customer data, intellectual property, and corporate information. It governs the entire Airtasks ecosystem, encompassing all products and services operated by the company, such as Specs, Docs, Closeout, and the core Airtasks platform. Adherence to this policy is mandatory for all Airtasks employees, contractors, and third-party vendors who have access to our information systems.
The protection of information is a shared responsibility at Airtasks. While the executive leadership team holds ultimate responsibility for the Information Security Program, every member of the Airtasks team is accountable for upholding this policy within their respective roles. Specific responsibilities are defined and communicated to ensure a cohesive and security-conscious culture throughout the organization.
Airtasks' leadership is fundamentally committed to information security. The executive team is responsible for sponsoring, resourcing, and maintaining a comprehensive Information Security Program. This program is designed to be agile and responsive to the dynamic threat landscape, ensuring that our security measures remain effective and robust.
This Information Security Policy is a living document. It is subject to a formal review at least annually, or more frequently in response to significant changes in our operating environment, technological advancements, or emerging security threats. Updates are managed through a formal change control process to ensure consistency and clarity.
A strong security posture begins with our people. All Airtasks employees are required to complete mandatory security awareness training upon hiring and on an ongoing annual basis. This training covers key security topics, including data handling, threat recognition, and incident reporting, to ensure our team remains our strongest defense.
Airtasks employs a data classification scheme to categorize information based on its level of sensitivity, criticality, and legal requirements. All data is classified into defined categories (e.g., Public, Internal, Confidential, Restricted), and each category has specific handling requirements to ensure appropriate levels of protection are applied.
We implement robust technical controls to protect data throughout its lifecycle. Customer data is encrypted in transit using industry-standard protocols such as Transport Layer Security (TLS 1.2 or higher). Data at rest is protected using advanced encryption standards, such as AES-256, leveraging the native encryption capabilities of the Google Cloud Platform (GCP) storage infrastructure.
Our data retention policies are designed to meet both our customers' needs and our legal and regulatory obligations. Data is retained for periods defined in our customer agreements and is securely disposed of at the end of its lifecycle using industry-accepted methods to prevent unauthorized access or recovery.
Access to Airtasks' information systems is governed by the principle of least privilege. This means that users are granted only the minimum level of access necessary to perform their1 job functions. A formal process is in place for requesting, approving, and revoking access, with periodic reviews to ensure ongoing appropriateness.
Airtasks enforces strong authentication measures to protect against unauthorized access. This includes the enforcement of robust password policies, which mandate complexity, length, and regular rotation. We are actively progressing toward the mandatory adoption of Multi-Factor Authentication (MFA) across all critical systems to provide an additional layer of security.
Access to systems with elevated privileges is severely restricted to a small number of authorized personnel. All privileged access is logged, monitored, and regularly reviewed to detect and investigate any anomalous activity, ensuring accountability and safeguarding our core infrastructure.
Our platform and services are built on the secure and scalable foundation of the Google Cloud Platform (GCP). We leverage the robust security features of GCP and utilize Google Kubernetes Engine (GKE) to manage our containerized applications, benefiting from Google's significant investment in infrastructure security.
Our network architecture is designed with security at its core. We employ network segmentation to isolate critical environments and utilize virtual private clouds (VPCs) and granular firewall rules to control traffic flow between services. This layered approach minimizes the attack surface and contains potential threats.
Encryption is a fundamental component of our defense-in-depth strategy. All data transmitted between our users and our services is encrypted using TLS. All customer data stored within our platform is encrypted at rest, ensuring that information remains confidential even in the unlikely event of a physical security breach.
Security is integrated into every phase of our software development lifecycle (SDLC). Our engineering teams adhere to secure coding best practices, and all code is subject to mandatory peer review for potential security flaws before deployment. We conduct automated static and dynamic security scans on a weekly basis to proactively identify and address vulnerabilities.
Airtasks maintains a formal vulnerability management program to identify, assess, and remediate security weaknesses in a timely manner. Vulnerabilities are triaged based on their severity, and remediation efforts are prioritized accordingly to mitigate the most significant risks to our platform and our customers.
We recognize that the security of our supply chain is critical. We utilize automated tools to actively monitor the third-party libraries and dependencies incorporated into our software. This allows us to promptly identify and update components with known vulnerabilities, reducing our exposure to supply chain attacks.
Airtasks employs a range of monitoring and logging solutions to detect potential security incidents across our infrastructure and applications. We have established clear, accessible channels for all employees and external parties to report suspected security events, ensuring a rapid and coordinated response.
In the event of a security incident, Airtasks follows a well-defined Incident Response Plan. This plan outlines the procedures for containing, investigating, eradicating, and recovering from security events. The plan is designed to minimize impact, restore services promptly, and ensure transparent communication with affected customers as appropriate.
To ensure the resilience and availability of our services, customer data is backed up on an hourly basis. These backups are encrypted and stored securely in geographically distinct locations to protect against data loss in the event of a localized failure.
Airtasks maintains a comprehensive Disaster Recovery (DR) plan. We conduct periodic testing of our DR processes to validate their effectiveness and ensure that we can restore services and recover data within our defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Airtasks is committed to upholding the privacy of our users. Our data protection practices are designed to comply with applicable data privacy laws, such as the GDPR and CCPA. For a detailed explanation of how we collect, use, and protect personal data, please refer to our official Privacy Policy.
We are dedicated to aligning our security program with industry best practices and recognized security frameworks. Airtasks is actively working toward achieving key industry certifications, such as SOC 2, to provide independent, third-party validation of our security controls and commitment to our customers.
We operate under a shared responsibility model. While Airtasks is responsible for securing our platform and infrastructure, our customers are responsible for their own security practices. This includes managing user access within their organization, safeguarding their authentication credentials, and using the security features of our products responsibly.
The threat landscape is not static, and neither is our security program. This Information Security Policy is reviewed and updated at least annually to ensure it remains relevant, effective, and aligned with our commitment to protecting our customers.
Airtasks is committed to the continuous enhancement of our security posture. We maintain a security program maturity roadmap that outlines key initiatives and future improvements. Current priorities include achieving full MFA adoption across all systems and pursuing formal security certifications to further strengthen trust and transparency with our customers.