Fruitask Security

In today’s digital landscape, ensuring the security of your data is paramount. At Fruitask, we take security seriously, employing a multifaceted approach that covers everything from account sign-in to data protection. Our security measures are designed to keep individual users and teams safe while meeting organizational and compliance needs.

Account Sign-In

  • Email + password with email verification to ensure account ownership.
  • Single sign-on options with Google and GitHub for convenient access.
  • Enterprise SSO support for organizations seeking centralized identity management.
  • Password reset functionality utilizing secure, time-limited links.

Two-Factor Authentication (2FA)

  • Two-factor authentication adds an extra layer of security at sign-in.
  • We provide backup codes for recovery if you lose your second factor.
  • Sensitive security values, including 2FA secrets and backup codes, are never exposed back to the client.

Sessions & Devices

  • Active sign-ins are tracked as device sessions, detailing device type (desktop, mobile, tablet) and the IP address used.
  • Sessions automatically expire over time and can be reviewed; signing out securely ends a session.

API Keys (for Developers)

  • Generate API keys to access Fruitask programmatically.
  • Each key has scoped permissions (read, write, delete, admin) and can include an optional expiry.
  • Keys track their last used status, allowing you to spot and revoke stale or unused keys.

Permissions & Access Control

  • Workspace access is structured around role-based permissions: Viewer, Editor, or a Custom set of granular permissions.
  • Permissions encompass data (rows/columns), members, comments, chat, automations, plugins, launching public pages, and AI actions — and can be scoped per table.
  • The most restrictive rule prevails when workspace and table permissions overlap, preventing accidental over-exposure.

Auditing & Monitoring

  • An audit log records key actions, including user, action, IP address, device/user agent, and the outcome (success or failure) — invaluable for investigating account activity.

Data Protection

  • Sensitive credentials you store (such as AI API keys and external storage provider secrets) are encrypted and not returned to the browser.
  • Public vs. private files: Private files are access-controlled with temporary, expiring links.
  • Bring your own storage option allows organizations to retain files within infrastructure they manage, meeting data-residency requirements.

Privacy & Compliance

  • Fruitask provides standard legal and compliance resources, including a Privacy Policy, Terms of Service, Cookie Policy, GDPR information, a Data Processing Agreement, a subprocessor list, and data deletion/export options.

Where to Find It

  • 2FA, sessions, sign-in methods, password: Account → Security.
  • API keys: developer/API settings.
  • Permissions & roles: workspace member/collaborator settings.
  • Legal/compliance: the policy pages in the footer (Privacy, Terms, GDPR, DPA, etc.).

Requirements & Access

  • Some controls, such as enterprise SSO, audit visibility, and advanced data governance, are aimed at higher plans and organization admins.
  • API access requires generating a key with the appropriate scope.

Limits & Notes

  • Revoking an API key or ending a session takes effect immediately for new requests.
  • Enabling 2FA significantly enhances account security — be sure to store your backup codes securely.

Tips

  • Enable 2FA on every admin/owner account for heightened security.
  • Provide integrations with scoped, expiring API keys instead of broad, permanent keys.
  • Utilize Custom roles and per-table permissions to adhere to least-privilege access principles.