Security

Last Updated: 24 Mar 2026

At Taqiro, we understand that your data—whether it’s sensitive business plans or personal tasks—is valuable and deserves the highest level of protection. Our users trust us to keep their information secure, private, and accessible whenever they need it, and we take that responsibility very seriously.

To uphold this trust, Taqiro maintains a robust security system designed to:

Prevent unauthorized access at every level;
Continuously monitor for vulnerabilities and threats; and
Pursue ongoing, proactive improvements to stay ahead of emerging security risks and technologies.

Related Policies: This Security Policy is part of Taqiro’s overall user agreement and should be read alongside our Privacy Policy and Terms of Service. Together, these documents explain how your data is collected, used, and protected, and govern your use of the Taqiro Service.

Please review each policy carefully. Your use of the Service indicates your acceptance of this Security Policy, along with the Terms of Service and Privacy Policy.

If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these terms and policies. In such cases, "you" refers to the organization. If you do not agree to these terms or any of the related policies, please do not use the Service.

1. Data Protection

We take the security and privacy of your data seriously. Our infrastructure and policies follow industry best practices to protect your information at every stage.

In Transit: All data transmitted between your device and our servers is encrypted using modern Transport Layer Security (TLS 1.2 or higher), ensuring secure and private communication.
At Rest: User data is hosted on Amazon Web Services (AWS) servers. Data is encrypted at rest using AES-256 encryption, widely recognized as the industry standard. AWS’s built-in firewalls and infrastructure-level safeguards protect your data from unauthorized remote access.
Taqiro relies on AWS for the physical security of the data centers where your data is processed and stored. AWS maintains an extensive list of reports, certifications, and third-party attestations to ensure state-of-the-art data center security. For more information on AWS’s Physical and Environmental Security, as well as Logical Access and Security controls, please refer to the official AWS security documentation and whitepapers: https://aws.amazon.com/security/.
Minimal Data Collection: We collect only the personal information necessary to operate the service securely. We do not store unnecessary personal identifiers, location data, or payment details beyond what is essential.
Framework Alignment: Our controls are mapped against SOC 2 Type II criteria and ISO 27001:2013 controls as a benchmark. We rely on AWS’s certifications and perform internal reviews, change-control checks, and ad-hoc security validation when we build new components.

We work with enterprise customers to discuss dedicated regional deployments and tooling that keep data within preferred jurisdictions while still synchronizing with integrations. Cross-border transfers rely on contractual controls and data flow logging to demonstrate compliance with local residency requirements.

2. Infrastructure & Access Control

Access to production systems and databases is granted only to authorized personnel who require it for their job functions.
Role-based access control (RBAC) is enforced across systems.
Access levels are reviewed regularly and revoked upon employee offboarding.
All administrative access is logged and monitored.

3. Monitoring & Incident Detection

Our security team continuously monitors our systems to detect and respond to threats:

Continuous Monitoring: Automated tools and processes are in place to scan for vulnerabilities, suspicious activities, and anomalies across our infrastructure and applications 24/7.
Incident Response: We maintain comprehensive incident response plans that define clear procedures for the rapid detection, assessment, containment, eradication, recovery, and post-incident analysis of any security incidents. Our team is prepared to quickly address and mitigate detected issues to minimize impact.
Log Retention: We retain security-related logs, such as API access logs and database audit trails, for a period of 7 days. This aligns with our service provider's retention policies and is sufficient for security analysis, incident response, and legal compliance. After this period, these logs are no longer directly accessible and are securely deleted or anonymized.

4. Disaster Recovery & Business Continuity

We employ robust measures to ensure the continuous availability and recoverability of your data, even in the event of unforeseen incidents. Our database infrastructure includes:

Automated Daily Backups: All user data in our primary databases is automatically backed up on a daily basis. These backups are encrypted and stored securely.
High Availability Architecture: Our underlying cloud infrastructure is designed for high availability and resilience, with features like redundant systems and automated failover mechanisms to maintain service uptime.
Data Restoration Protocols: We maintain documented procedures for data restoration using our backups to quickly recover and restore service in case of a major incident, ensuring business continuity.

5. Employee Security Practices

All Taqiro employees undergo security training to understand best practices and their role in protecting your data. We enforce:

Strong password policies and multi-factor authentication for internal systems.
All privileged accounts require phishing-resistant multi-factor authentication such as FIDO2 security keys or equivalent.
Clear guidelines on data handling and confidentiality.
Background checks for employees with access to sensitive information.

6. Third-Party Risk Management

We work only with trusted third-party service providers who comply with strict security standards:

All providers undergo security assessments before engagement.
They are contractually obligated to protect your data and use it only to deliver the services we require.
Examples include payment processors (Stripe) and customer support platforms (Zoho Desk).

7. Security Disclosure

We welcome reports of security vulnerabilities. If you discover a security issue affecting our systems, please email security@taqiro.com with the following:

Description of the vulnerability
Steps to reproduce (if applicable)
Proof of concept or screenshot
Your contact details for follow-up

We appreciate ethical disclosure and respond promptly.

8. Data Breach Response

Although we have not yet needed to issue customer notifications, if we ever experience a reportable data breach we commit to the following response steps:

Detection & Containment: Immediately investigate the incident, contain affected systems, and isolate any exploited resources.
Impact Assessment: Determine which users, systems, or data elements were affected and whether sensitive data was exposed.
Notification: Notify impacted users within 72 hours whenever required by law and whenever the breach risks user rights or freedoms. We notify regulators only when mandated by law and document the legal basis for any required disclosure.
Remediation: Fix vulnerabilities, rotate compromised credentials, and strengthen internal controls.
Review & Reporting: Keep an incident report and root cause analysis for every material incident to learn from it.

Where state laws (such as certain U.S. statutes) require longer notice windows (typically 30-45 days), we comply in addition to the GDPR/72-hour standard. Notification recipients normally include the Primary Account Holder, registered administrators, and any regulators requiring separate filings or public notice.

9. GDPR and Global Compliance

Taqiro is accessible worldwide, and we strive to comply with major international data protection laws. We implement safeguards and processes to respect user rights and ensure secure handling of personal data, including but not limited to:

EU GDPR (EU/EEA): Users have rights to access, correct, delete, restrict, or export their personal data. Cross-border transfers outside the EU are protected using Standard Contractual Clauses (SCCs) and other legally recognized mechanisms.
Indian IT Act and related rules (India): Data processing complies with national security and privacy frameworks.
CCPA/CPRA (California): While we do not sell personal data, California residents may request access to, deletion of, or information about their data.
UK GDPR, LGPD (Brazil), Singapore PDPA, Australia Privacy Act / APPs, Japan APPI, Virginia VCDPA, and other region-specific laws: We respond to data rights requests and implement data processing safeguards in accordance with applicable local regulations.

Taqiro’s privacy and security practices are designed to meet global compliance standards while ensuring transparency, control, and protection for all users.

We regularly monitor global legal requirements to ensure ongoing compliance and update our policies as needed.

We do not sell your personal data. Your information may be shared only with trusted third-party service providers (such as payment processors and customer support platforms) under strict confidentiality and contractual obligations to protect your privacy and use data solely to maintain and provide the Service.

For data rights requests or privacy inquiries, please contact us at support@taqiro.com.

10. Contact & Questions

If you have any questions about our Security Policy or practices, please contact us at: support@taqiro.com

11. Policy Updates

We may update this Security Policy from time to time to reflect changes in our practices or legal requirements. All changes will be posted on our website with an updated revision date. We encourage you to review this policy periodically.