Security

Security at KnotDo

Your task data is private. Here's exactly how we protect it.

Encryption in transit

All connections use HTTPS with TLS 1.3. We enforce HSTS and redirect all HTTP traffic to HTTPS. Your data is never sent over unencrypted connections.

Password security

Passwords are hashed with bcrypt at cost factor 12. We never store plaintext passwords. We never log passwords. If you forget your password, we send a short-lived reset link — we can't recover your original password because we don't have it.

Session security

Session tokens are stored in httpOnly, Secure cookies — inaccessible to JavaScript, immune to XSS. Sessions expire on sign-out. We support two-factor authentication (TOTP) for all accounts.

Infrastructure

KnotDo runs on Hetzner servers in Germany (EU). Data stays within the EU. We use automated backups with 30-day retention. Database access is restricted to the application server — no public-facing database ports.

Data access

Only you can access your task data. VARO Industries employees cannot read your tasks — database access is restricted and all access is logged. We do not sell data. We do not use your data to train AI models.

Breach notification

In the event of a security incident affecting your personal data, we will notify you within 72 hours as required by GDPR Article 33, along with a clear description of what happened and what we're doing about it.

Responsible Disclosure

If you discover a security vulnerability in KnotDo, please report it to us privately before public disclosure. We'll acknowledge receipt within 24 hours and work to resolve valid issues within 7 days for critical vulnerabilities.

Email: [email protected]

Please include: steps to reproduce, potential impact, and your contact information. We do not have a formal bug bounty program at this time.

For privacy questions, see our Privacy Policy.