tack
← back to help centre
🔒

privacy & security whitepaper

how tack protects your data

version 1.0 — november 2025

the short version

tack is built on a zero-knowledge architecture. your message content is encrypted with your personal encryption key. tack admins can't read your stuff without your credentials.

we use AES-256-GCM encryption (military-grade), per-user keys stored in Azure Key Vault, and TLS everywhere to protect your data.

core security principles

1. zero-knowledge architecture

your message content is encrypted before it reaches our servers. tack admins can't decrypt your data without your authentication credentials. if our database were breached, encrypted messages would be useless without your personal encryption key.

2. per-user encryption keys

every user has a unique 256-bit encryption key stored in Azure Key Vault. if one user's key is compromised, other users' data stays protected. keys are protected by Azure RBAC and Entra ID authentication.

3. minimal data retention

once you act on a message (mark done, archive, or delete), tack removes the message content from our systems. we only keep minimal metadata needed for sync and deduplication.

4. defense in depth

we layer security controls: TLS for data in transit, AES-256-GCM for data at rest, Azure Key Vault for key management, and Microsoft Entra ID for authentication. multiple independent controls protect your data.

encryption implementation

algorithm: AES-256-GCM

  • 256-bit keys provide 128-bit security strength
  • GCM mode provides authenticated encryption (confidentiality + integrity)
  • random 96-bit IVs prevent pattern analysis
  • 128-bit authentication tags prevent tampering
  • used by banks, governments, and military organizations worldwide

what gets encrypted

  • message subject lines
  • message body content
  • message snippets/previews
  • sender names
  • access tokens for external services (outlook, teams, gmail, slack)

what stays unencrypted (metadata)

minimal metadata needed for app functionality:

  • user email address (for authentication)
  • triage status (urgent/next/horizon/done)
  • timestamps (received date, created date)
  • message source (outlook email, teams chat, etc.)
  • external message IDs (for deduplication and sync)

key management

Azure Key Vault

all encryption keys are stored in Azure Key Vault, a FIPS 140-2 Level 2 validated hardware security module (HSM):

  • keys never leave the HSM
  • protected by Azure RBAC (role-based access control)
  • access logs for all key operations
  • service principal has minimum required permissions
  • keys can't be exported or viewed by humans

key lifecycle

  • creation: when you sign up, tack generates a unique 256-bit key and stores it in Azure Key Vault
  • usage: tack retrieves your key only when you're authenticated and actively using the app
  • deletion: when you delete your account, your key is permanently deleted from Key Vault

authentication & access control

Microsoft Entra ID

tack uses Microsoft Entra ID (formerly Azure AD) for authentication. we don't store passwords — authentication is handled entirely by microsoft with multi-factor authentication (MFA) support.

OAuth 2.0 with incremental consent

tack requests only the permissions it needs, when it needs them. you grant access to outlook, teams, calendar, and presence separately. you can revoke access at any time through your microsoft account settings.

session management

  • sessions expire after 30 days of inactivity
  • refresh tokens are encrypted and stored securely
  • you can sign out from all devices at once

infrastructure & hosting

cloud providers

  • Vercel: web app hosting (SOC 2 Type II certified)
  • Azure: key vault, container apps, web pubsub (ISO 27001 certified)
  • Neon: PostgreSQL database (SOC 2 Type II certified)
  • Upstash: Redis for background jobs (SOC 2 Type II certified)

data residency

all data is stored in Australia East (Sydney) region to comply with Australian data sovereignty requirements.

backups

database backups are encrypted at rest and retained for 7 days. backups are stored in the same region as primary data. backup encryption uses the same AES-256-GCM standard as production data.

threat model

✅ protected against

  • database breach: encrypted data is useless without keys
  • admin snooping: admins can't access user keys
  • backup exposure: backups contain encrypted data only
  • man-in-the-middle: TLS + encryption defense-in-depth
  • data tampering: GCM authentication tags prevent modification

⚠️ accepted risks

  • user device compromise: if an attacker controls your session, they can decrypt your data while you're logged in
  • Azure Key Vault breach: if Azure's HSM is completely compromised (highly unlikely)
  • social engineering: if an attacker tricks you into sharing your credentials

these scenarios require significant attacker capabilities. we recommend using strong passwords, enabling MFA, and keeping your devices secure.

compliance & certifications

GDPR compliance

tack complies with the General Data Protection Regulation (GDPR). you have the right to access, correct, delete, or export your data at any time.

Australian Privacy Principles

tack follows the Australian Privacy Principles (APPs) under the Privacy Act 1988. all data is stored in Australia and processed in accordance with Australian law.

SOC 2 Type II

our cloud providers (Vercel, Neon, Upstash) are SOC 2 Type II certified, and Azure is ISO 27001 certified. we leverage their security controls as part of our defense-in-depth strategy.

security questions?

if you have security concerns or want to report a vulnerability, email us at security@setyourtack.com

privacy policy

© 2025 tack. all rights reserved.