Your data, protected.
TroopToTask aligns with NIST SP 800-171 for the protection of Controlled Unclassified Information.
What we handle, and how we treat it.
TroopToTask manages personnel readiness data that may include Controlled Unclassified Information (CUI). This includes names, ranks, unit assignments, training records, counseling notes, and availability statuses. We treat all customer data as CUI-equivalent and apply protections accordingly.
We do not process, store, or transmit classified information at any level. TroopToTask is designed exclusively for unclassified environments.
Encrypted in transit and at rest.
All data transmitted between your browser and our servers is encrypted with TLS 1.2 or higher, enforced via HTTP Strict Transport Security (HSTS) headers. Downgrade attacks and cleartext connections are blocked.
Data at rest is encrypted with AES-256 by our infrastructure providers. Database backups, file storage, and all persistent data stores use server-side encryption with managed keys.
Every request is authorized.
Authentication is handled via Supabase Auth with support for email/password and multi-factor authentication (TOTP). Sessions are enforced with a 24-hour absolute timeout and secure cookie handling.
Authorization uses a layered approach: role-based access control (RBAC) at the application level with admin, editor, and viewer roles, combined with PostgreSQL Row-Level Security (RLS) policies that enforce tenant isolation at the database layer. Every API endpoint validates organization membership and role permissions server-side before processing requests. Sensitive document uploads and downloads are mediated through application endpoints, with private storage access enforced by explicit policies and short-lived signed URLs.
Every action leaves a trail.
TroopToTask maintains structured audit logs for security-relevant events including authentication attempts, permission changes, data modifications, and administrative actions. Logs capture the actor, action, resource, timestamp, and limited contextual metadata needed for accountability and review.
Audit records are retained for 1 year, with automated cleanup of expired entries. Audit details exclude full record contents and unnecessary sensitive fields while preserving the limited identifiers needed to answer who did what to which record.
Built on proven platforms.
TroopToTask runs on infrastructure from providers with established security programs:
- Vercel — Application hosting and edge delivery. SOC 2 Type II certified.
- Supabase — PostgreSQL database, authentication, and file storage. SOC 2 Type II certified. Hosted on AWS with isolated tenancy.
- Stripe — Payment processing. PCI DSS Level 1 certified. TroopToTask never stores credit card numbers or payment credentials.
All infrastructure is hosted within the United States.
Aligned with NIST SP 800-171.
TroopToTask's security controls align with the following NIST SP 800-171 Rev 2 control families:
- Access Control (3.1) — RBAC, RLS, session management, least privilege
- Audit & Accountability (3.3) — Structured logging, retention policies, and minimized audit details
- Identification & Authentication (3.5) — MFA support, password policies, session timeouts
- System & Communications Protection (3.13) — TLS 1.2+, AES-256, security headers, CSP
- System & Information Integrity (3.14) — Input validation, rate limiting, error handling
- Incident Response (3.6) — Documented response procedures, contact channels
TroopToTask is built for military leaders who need a practical, secure way to stay on top of personnel and readiness without creating more administrative drag.
FedRAMP is mainly a factor in formal government procurement and officially sanctioned enterprise adoption. It does not, by itself, determine whether a commercial platform can be useful to military leaders working within local policy, command guidance, and common-sense data handling.
Like any operational tool, TroopToTask should be used in a way that matches your organization's guidance. That means keeping classified information and any data required to remain in approved government systems out of the platform.
Built to help leaders, used with common sense.
TroopToTask exists to make unit management easier for leaders who are tired of piecing together personnel, training, readiness, and day-to-day tracking across too many disconnected tools. We focus on strong security, careful handling of personnel information, and practical controls that support responsible use.
The goal is simple: give leaders better visibility, less friction, and a more reliable way to manage the work they are already doing. Formal federal procurement and enterprise adoption can involve additional compliance review, but that is a separate question from whether a platform is useful, secure, and workable for leaders operating within their local policies, approval chain, and mission needs.
We recommend using TroopToTask in ways that match local policy and sound judgment. That means avoiding classified information, highly sensitive operational details, or anything your command or cybersecurity office has directed to stay inside approved government systems. Our aim is to give leaders a secure, helpful platform they can trust today while continuing to strengthen the product for more demanding compliance environments over time.
Report a vulnerability.
If you discover a security vulnerability in TroopToTask, we encourage responsible disclosure. Please report findings to:
We ask that you provide a reasonable amount of time for us to address reported issues before public disclosure. We will acknowledge receipt within 48 hours and aim to provide a resolution timeline within 5 business days.