Your data, protected.
TroopToTask aligns with NIST SP 800-171 for the protection of Controlled Unclassified Information.
What we handle, and how we treat it.
TroopToTask manages personnel readiness data that may include Controlled Unclassified Information (CUI). This includes names, ranks, unit assignments, training records, counseling notes, and availability statuses. We treat all customer data as CUI-equivalent and apply protections accordingly.
We do not process, store, or transmit classified information at any level. TroopToTask is designed exclusively for unclassified environments.
Encrypted in transit and at rest.
All data transmitted between your browser and our servers is encrypted with TLS 1.2 or higher, enforced via HTTP Strict Transport Security (HSTS) headers. Downgrade attacks and cleartext connections are blocked.
Data at rest is encrypted with AES-256 by our infrastructure providers. Database backups, file storage, and all persistent data stores use server-side encryption with managed keys.
Every request is authorized.
Authentication is handled via Supabase Auth with support for email/password and multi-factor authentication (TOTP). Sessions are enforced with a 24-hour absolute timeout and secure, HttpOnly cookies.
Authorization uses a layered approach: role-based access control (RBAC) at the application level with admin, editor, and viewer roles, combined with PostgreSQL Row-Level Security (RLS) policies that enforce tenant isolation at the database layer. Every API endpoint validates organization membership and role permissions server-side before processing requests.
Every action leaves a trail.
TroopToTask maintains structured audit logs for security-relevant events including authentication attempts, permission changes, data modifications, and administrative actions. Logs capture the actor, action, resource, timestamp, and contextual metadata.
Audit records are retained for 90 days, with automated cleanup of expired entries. Personally identifiable information is filtered from log details to maintain data minimization principles.
Built on proven platforms.
TroopToTask runs on infrastructure from providers with established security programs:
- Vercel — Application hosting and edge delivery. SOC 2 Type II certified.
- Supabase — PostgreSQL database, authentication, and file storage. SOC 2 Type II certified. Hosted on AWS with isolated tenancy.
- Stripe — Payment processing. PCI DSS Level 1 certified. TroopToTask never stores credit card numbers or payment credentials.
All infrastructure is hosted within the United States.
Aligned with NIST SP 800-171.
TroopToTask's security controls align with the following NIST SP 800-171 Rev 2 control families:
- Access Control (3.1) — RBAC, RLS, session management, least privilege
- Audit & Accountability (3.3) — Structured logging, retention policies, PII filtering
- Identification & Authentication (3.5) — MFA support, password policies, session timeouts
- System & Communications Protection (3.13) — TLS 1.2+, AES-256, security headers, CSP
- System & Information Integrity (3.14) — Input validation, rate limiting, error handling
- Incident Response (3.6) — Documented response procedures, contact channels
While we are not FedRAMP authorized, we continuously improve our posture to support organizations that handle CUI.
Report a vulnerability.
If you discover a security vulnerability in TroopToTask, we encourage responsible disclosure. Please report findings to:
We ask that you provide a reasonable amount of time for us to address reported issues before public disclosure. We will acknowledge receipt within 48 hours and aim to provide a resolution timeline within 5 business days.