Security & Vulnerability Disclosure
Last updated: June 3, 2026 · Vulnerability Disclosure Policy v1.0
Your email security is our top priority. We built DailyTaskProAI with a minimal-storage architecture, full email bodies and attachments never touch our database. Only short preview snippets of emails you've turned into tasks are persisted, so you can see task context inside your dashboard.
Found a security issue? We welcome coordinated disclosure from security researchers. Read the policy below, then report it.
Report a vulnerability
Architecture
Minimal Email Storage Active
Email content is processed in-memory only for AI scoring and draft generation, then discarded. For tasks created from emails, we persist the sender, subject, date, a short preview snippet of the body, and any reply you've drafted, but never the full email body or attachments.
Encryption Always Encrypted
All data travels through secure encrypted channels, both in transit and at rest. Connection tokens are stored with additional encryption using separate key management.
Authentication
- Official sign-in only, Google sign-in for Gmail/Workspace/Calendar, Microsoft sign-in for Outlook/365/Calendar
- No password storage, We never see or store your email password
- Secure sessions, Session tokens stored in secure, protected cookies
- Password protection, Account passwords are securely hashed and never stored in plain text
- Token management, Connection tokens auto-refresh; revoked tokens are cleaned up immediately
Infrastructure
- Hosted on dedicated infrastructure (not shared hosting)
- Strict firewall rules with minimal open ports
- Rate limiting on all API endpoints to prevent abuse
- Security headers on all responses
- Cross-origin requests restricted to approved domains only
- All database queries use safe parameterized methods
Auto-Send Safety
Revenue Risk Protection Enforced
Emails flagged as revenue risk (invoices, payment requests, deal-critical) can NEVER be auto-sent. This rule is enforced at the service layer, it cannot be overridden by users, admins, or API calls.
Independently security assessed
Google CASA Tier 2 · TAC Security ESOF
OAuth only, no passwords stored · TLS 1.3 in transit · AES-256 at rest
Credit Safety
Credits are deducted before an AI action runs. If the action fails for any reason, credits are automatically refunded. You never pay for failed operations.
Compliance
- GDPR, Full compliance. Data export and deletion on request.
- CCPA, California Consumer Privacy Act compliant.
- Google API Services User Data Policy, Limited use compliance.
- Microsoft Graph API Terms, Full compliance with data handling requirements.
Vulnerability Disclosure Policy
Version 1.0 · Effective 2026-06-03 · Operated by Navya Gourmet Private Limited
1. Introduction
DailyTaskProAI is dedicated to preserving data security by preventing unauthorized disclosure of information. This policy gives security researchers instructions for conducting vulnerability discovery activities, explains which systems and types of activity are in scope, how to send vulnerability reports, and how long we ask you to wait before publicly reporting vulnerabilities you have identified.
2. Guidelines
We request that you:
- Notify us as soon as possible after you discover a real or potential security issue.
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
- Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or obtain data, establish command-line access or persistence, or pivot to other systems.
- Once you have established that a vulnerability exists, or encountered any sensitive data (personal data, financial information, or proprietary information of any party), stop your test, notify us immediately, and keep the data strictly confidential.
- Do not submit a high volume of low-quality reports.
3. Authorization
Security research carried out in conformity with this policy is deemed permissible. We will work with you to swiftly understand and fix the problem, and DailyTaskProAI will not suggest or pursue legal action in connection with your research.
4. Scope
This policy applies to the following systems operated by DailyTaskProAI:
- https://dailytaskproai.com, the marketing website.
- https://webapp.dailytaskproai.com, the DailyTaskProAI web application.
- https://api.dailytaskproai.com, the DailyTaskProAI REST API.
- The DailyTaskProAI Chrome extension, covered once published on the Chrome Web Store. Not yet deployed at the effective date of this policy.
Any service not explicitly listed above, including related and third-party services, is out of scope and may not be tested. Vulnerabilities in third-party solutions DailyTaskProAI interacts with (Google APIs, Razorpay, Stripe, Hostinger) should be reported directly to the relevant vendor under their disclosure policy. Email security@dailytaskproai.com if you are unsure whether a target is in scope.
5. Types of testing
The following test types are not authorized:
- Network denial-of-service (DoS or DDoS) tests.
- Physical testing (office access, tailgating), social engineering (phishing, vishing), or any other non-technical vulnerability testing.
6. Reporting a vulnerability
To report any security flaws, email security@dailytaskproai.com. We will acknowledge receipt of your report by the next business day and keep you updated on our progress. Reports may be submitted anonymously.
7. Desirable information
To process and respond to a vulnerability report effectively, please include:
- Vulnerability description.
- Place of discovery (URL, endpoint, parameter).
- Potential impact.
- Steps required to reproduce the vulnerability, scripts and screenshots welcome.
If possible, please provide your report in English.
8. Our commitment
If you choose to give your contact information, we will communicate with you transparently and in a timely manner. We will acknowledge receipt of your report within three business days, keep you informed on vulnerability confirmation and remedy to the best of our ability, and welcome a dialogue on the technical concerns you raise.
9. Google User Data, Special Handling
For vulnerabilities affecting Google user data accessed via DailyTaskProAI's OAuth integration (Gmail and Google Calendar restricted scopes), DailyTaskProAI commits to additional reporting to Google Security in line with the Google API Services User Data Policy and the Limited Use requirements.
Critical Google-data vulnerabilities will be:
- Triaged within 24 hours of receipt of a credible report.
- Reported to Google within 72 hours of confirmation, via the channel established during OAuth verification.
This reporting is in addition to, not in place of, any user notification and regulator filings required by applicable law.
A machine-readable contact entry is also available at /.well-known/security.txt per RFC 9116.