Fruitask Security
In today’s digital landscape, ensuring the security of your data is paramount. At Fruitask, we take security seriously, employing a multifaceted approach that covers everything from account sign-in to data protection. Our security measures are designed to keep individual users and teams safe while meeting organizational and compliance needs.
Account Sign-In
- Email + password with email verification to ensure account ownership.
- Single sign-on options with Google and GitHub for convenient access.
- Enterprise SSO support for organizations seeking centralized identity management.
- Password reset functionality utilizing secure, time-limited links.
Two-Factor Authentication (2FA)
- Two-factor authentication adds an extra layer of security at sign-in.
- We provide backup codes for recovery if you lose your second factor.
- Sensitive security values, including 2FA secrets and backup codes, are never exposed back to the client.
Sessions & Devices
- Active sign-ins are tracked as device sessions, detailing device type (desktop, mobile, tablet) and the IP address used.
- Sessions automatically expire over time and can be reviewed; signing out securely ends a session.
API Keys (for Developers)
- Generate API keys to access Fruitask programmatically.
- Each key has scoped permissions (read, write, delete, admin) and can include an optional expiry.
- Keys track their last used status, allowing you to spot and revoke stale or unused keys.
Permissions & Access Control
- Workspace access is structured around role-based permissions: Viewer, Editor, or a Custom set of granular permissions.
- Permissions encompass data (rows/columns), members, comments, chat, automations, plugins, launching public pages, and AI actions — and can be scoped per table.
- The most restrictive rule prevails when workspace and table permissions overlap, preventing accidental over-exposure.
Auditing & Monitoring
- An audit log records key actions, including user, action, IP address, device/user agent, and the outcome (success or failure) — invaluable for investigating account activity.
Data Protection
- Sensitive credentials you store (such as AI API keys and external storage provider secrets) are encrypted and not returned to the browser.
- Public vs. private files: Private files are access-controlled with temporary, expiring links.
- Bring your own storage option allows organizations to retain files within infrastructure they manage, meeting data-residency requirements.
Privacy & Compliance
- Fruitask provides standard legal and compliance resources, including a Privacy Policy, Terms of Service, Cookie Policy, GDPR information, a Data Processing Agreement, a subprocessor list, and data deletion/export options.
Where to Find It
- 2FA, sessions, sign-in methods, password: Account → Security.
- API keys: developer/API settings.
- Permissions & roles: workspace member/collaborator settings.
- Legal/compliance: the policy pages in the footer (Privacy, Terms, GDPR, DPA, etc.).
Requirements & Access
- Some controls, such as enterprise SSO, audit visibility, and advanced data governance, are aimed at higher plans and organization admins.
- API access requires generating a key with the appropriate scope.
Limits & Notes
- Revoking an API key or ending a session takes effect immediately for new requests.
- Enabling 2FA significantly enhances account security — be sure to store your backup codes securely.
Tips
- Enable 2FA on every admin/owner account for heightened security.
- Provide integrations with scoped, expiring API keys instead of broad, permanent keys.
- Utilize Custom roles and per-table permissions to adhere to least-privilege access principles.