Your work stays yours.
How Taktly protects your continuous-improvement work — written plainly, no marketing language. If a question isn’t answered here, email security@gettaktly.com.
Infrastructure
Encrypted in transit. Encrypted at rest.
- TLS 1.3 in transit. Every connection between your browser and Taktly is encrypted end-to-end. HTTP requests are redirected to HTTPS automatically.
- AES-256 at rest. All data in our Supabase Postgres database is encrypted at rest, including database backups and file uploads.
- Row-level security (RLS). Every database table is protected with RLS policies. A user can only read or write rows that belong to them — enforced at the database layer, not in application code.
- Daily automated backups. Point-in-time recovery available through Supabase. We test restoration procedures quarterly.
- Hosted in AWS US-East. Primary region for both application and database. Edge caching globally via Vercel.
Subprocessors
Every third party we use.
Five vendors handle parts of the Taktly stack. Each is contractually obligated to protect your data and is itself audited under recognized security frameworks. Click any vendor name to read their public security documentation.
| Vendor | Purpose | Region | Compliance |
|---|---|---|---|
| Supabase | Postgres database, authentication, file storage | AWS US-East | SOC 2 Type II, HIPAA-eligible |
| Vercel | Application hosting, edge network, TLS termination | Global edge, US-East primary | SOC 2 Type II, ISO 27001, PCI-DSS Level 1 |
| Stripe | Subscription billing and payment processing | US | PCI-DSS Level 1, SOC 1, SOC 2 Type II |
| Resend | Transactional email (signup confirmations, lead-magnet delivery) | US | SOC 2 Type II |
We’ll notify you at least 30 days before adding a new subprocessor. Subscribe to subprocessor changes by emailing security@gettaktly.com.
Your data, your decision
Export anytime. Delete anytime.
- You own your work.Every charter, A3, exec summary, and PDF you generate is yours. We don’t claim license, ownership, or any right to use your project content for marketing without your written consent.
- Export anytime. Every artifact downloads as a print-ready PDF. Raw data export (JSON) available on request through hello@gettaktly.com.
- One-click workspace reset. The Reset workspace feature in Settings deletes every project and its contents. Profile, branding, and login are preserved.
- Account deletion. Email hello@gettaktly.com with the subject “Delete my account” and we erase everything within 24 hours. We retain only what we’re legally required to keep (billing records, usually 7 years).
Access
Small team. Logged access. Least privilege.
- Single-operator administration. Vernon Lee, the founder, is the only person with administrative access to the production database.
- Authentication. Email + password with optional magic-link sign-in via Supabase Auth. Passwords are hashed with bcrypt; we never store plain-text passwords.
- Admin gating.The admin command center is gated to an explicit allowlist of email addresses. Even an authenticated user outside that allowlist gets a “Not authorized” response, not a partial view.
- Audit logging. Authentication events, billing events, and admin-relevant system events are recorded with timestamps for review.
Regulated records (21 CFR Part 11 / EU Annex 11)
What Taktly is — and what it isn't — in a GxP environment.
Taktly is a pre-review intelligence layer, not the Part-11 system of record. Your validated eQMS or eDMS remains the system of record for signed CAPAs, deviations, and investigations. Taktly drafts and audits the work; your validated system holds the signed artifact.
We get this question every week and we’d rather answer it before the procurement call than during it:
- Every AI suggestion is an unsigned draft. No Taktly output carries an electronic signature. Your team reviews, modifies, or rejects every draft before it leaves the workspace.
- Model version is pinned. A specific OpenAI model ID is locked per release; upgrades are change-controlled with a public CHANGELOG entry so an auditor can see exactly which model rendered a given draft.
- Prompts are versioned. Audit-engine prompts are version-stamped in source and exportable on request for QA review.
- Full audit export. Every engine draft, every human accept / modify / reject, and every tollgate sign-off exports as CSV / JSON for inclusion in your validated record.
Customers running Taktly in a GxP environment typically scope us as a pre-review tool in their SOP — the same way a senior reviewer reads a draft CAPA before it enters the eQMS for signature.
If something goes wrong
Acknowledge in 24 hours. Disclose in 72.
If you discover a security issue or suspect one, email security@gettaktly.com. You’ll receive an acknowledgment within 24 hours.
If a security incident affects your account, we will notify you directly within 72 hours of discovery, including: what happened, what data was affected, what we’ve done about it, and what you should do next.
Responsible-disclosure researchers: we appreciate you. No bug bounty program yet, but we credit valid findings publicly (with your permission) and respond personally to every report.
Compliance
Where we stand today.
Taktly is an early-stage company. Here’s where compliance work stands honestly — what we have, what’s in progress, and what we’ll add when buyers need it.
In place today
TLS 1.3 encryption everywhere
AES-256 at rest (Supabase)
Row-level security on every table
PCI-DSS for payments (Stripe)
Privacy Policy + Terms of Service
One-click data export and deletion
In progress
SOC 2 Type I — Q3 2026
SOC 2 Type II — Q1 2027
Cyber liability insurance — Q3
Data Processing Agreement (DPA) template
Subprocessor change notification process
Available on request
Security questionnaire (CAIQ-Lite)
Architecture diagram
Incident response runbook
Backup & recovery procedures
Data Processing Agreement (DPA) signing
On the roadmap
HIPAA BAA capability
Single Sign-On (SSO / SAML)
Audit log export
Data residency options (EU, Canada)
Need any of the above for your security review? Email us — we respond within one business day.
Questions for your security team?
Send a security questionnaire, ask for a DPA, request our architecture diagram — we respond personally within one business day.