Trust & Security

Trust & security.

How TaskWiz protects your volunteers' data, the infrastructure we run on, and the partners we rely on.

Effective dateJanuary 2026

For what we collect and why, see the Privacy page.

Our approach to trust

Volunteer data is sensitive. Contact details, availability, allocations, and sometimes information about minors all sit inside TaskWiz, and the organisations that use it - surf clubs, charities, community groups, councils - trust us to handle that data carefully.

We take a "secure by default" position. We use managed, enterprise-grade infrastructure rather than rolling our own; we apply the principle of least privilege; and we encrypt data both in transit and at rest. This page describes the specifics.

Infrastructure & hosting

TaskWiz runs entirely on the Google Cloud Platform, with all customer data stored in Australia.

Application hosting: Google App Engine (region: australia-southeast1, Sydney).
Database: Google Firestore (managed NoSQL, encrypted at rest, automatically replicated across zones).
File storage: Google Cloud Storage (Sydney region).
Background processing: Google Cloud Tasks (queued, retried, monitored)
Analytics: Google BigQuery, used internally for aggregated usage reporting
Secrets management: Google Secret Manager (API keys and credentials are never stored in source code)

Choosing GCP means TaskWiz inherits the physical security, network controls, and resilience of Google's data centres, which are independently certified to ISO 27001, SOC 1/2/3, and PCI DSS.

Authentication & access control

Identity provider: Auth0 (an Okta company), SOC 2 Type II and ISO 27001 certified.
Australian Tenant: identity data stored in the AU region
No passwords stored by TaskWiz: credentials, password resets, and multi-factor authentication are all handled by Auth0.
Organisation-scoped access: every user belongs to one or more organisations, and data is partitioned accordingly.
Role-based permissions (RBAC): administrators, coordinators, and contributors each see only what they need.
Server-side authorisation: every protected API endpoint verifies Organisation and Event access on the server, not just in the UI.
Single sign-on (SSO): available on request for organisations with their own identity provider.

Data security

In transit: all traffic is encrypted with TLS 1.2 or higher.
At rest: Firestore and Cloud Storage encrypt data with AES-256 using Google-managed keys.
Secrets: API keys, third-party credentials, and signing keys are stored exclusively in Google Secret Manager, with access limited to the running application.
Internal network: service-to-service communication uses Google's private network where possible, not the public internet.
Logging: application and access logs are retained for diagnostics and incident response, with personal data minimised in log output.

Application security

Source code is held in private repositories with mandatory code review on every change.
Automated dependency scanning flags known vulnerabilities, and dependencies are updated regularly.
Type-safe API contracts validate every request and response, eliminating a common class of input-handling bugs.
Authorisation checks run on the server for every protected operation - the UI is never the only gate.
Production deployments are reproducible, versioned, and auditable.

Sub-processors

TaskWiz uses a small number of trusted third parties to deliver the service. We update this list when it changes.

Provider	Purpose	Region	Privacy policy
Google Cloud Platform	Hosting, database, storage, analytics	Australia (Sydney)	Link
Auth0	Authentication and identity	Australia	Link
Mailgun *	Transactional email delivery	US / EU	Link

* Some Organisations configure their own email provider (e.g. their own Mailgun, SendGrid, or MailChimp account) - in those cases, email is delivered through the organisation's chosen provider rather than ours.

Backups & availability

Firestore: managed daily exports, retained for 7 days rolling
App Engine: auto-scaling with managed redundancy across multiple availability zones.
Recovery: point-in-time restoration available for accidental deletion or data corruption.

We don't currently publish a formal uptime SLA. If you need one for procurement, contact us.

Privacy & data handling

TaskWiz complies with the Australian Privacy Principles (APPs) under the Privacy Act 1988. All customer data is stored in Australia and is not transferred offshore except through the sub-processors listed above.

For the full details of what we collect, why, and your rights, see our Privacy Policy.

Who builds TaskWiz

TaskWiz is designed and operated by Marc Schregardus, the founder of Man on the Moon Pty Ltd. Marc is a Google Cloud certified Professional Cloud Architect and Professional Data Engineer, with a background in commercial software engineering and prior production experience integrating Auth0 across enterprise applications.

The platform is built on the same patterns and tooling Marc has used to deliver software for larger organisations - applied here at a scale and price point that suits volunteer-led groups.

Reporting a security issue

If you believe you have found a security vulnerability in TaskWiz, please email hello@taskwiz.pro. We acknowledge reports within two business days and will keep you informed as we investigate.

Please do not publicly disclose the issue until we have had a reasonable opportunity to address it.

Changes to this page

We will update this page when our infrastructure, sub-processors, or practices change. The effective date at the top reflects the most recent update. Material changes affecting how we handle customer data will also be communicated to organisation administrators.

Contact information

For questions about this page, our security practices, or vendor onboarding paperwork.

Email: hello@taskwiz.pro
Contact Us: Go to the Contact Us form