In progress
Operational alerting ownership
Final on-call ownership and production alert routing are being finalized before cutover.
Security at TAKE INTEREST
Security is a product primitive. We publish what is implemented, what is still in progress, and how to disclose issues responsibly.
Implemented In progress Disclosure path
Last updated: February 17, 2026
Implemented security principles
Zero-trust by default
Deny by default. Every action requires explicit authorization. No implicit trust between components.
Deterministic enforcement
Security decisions are made by deterministic policy rules, not probabilistic LLM inference. Predictable. Auditable. Repeatable.
Privacy-first
Minimal data collection. No tracking pixels or advertising cookies. Anonymous analytics only. User data is encrypted at rest and in transit. Your data stays yours.
Defense in depth
Multiple independent layers of protection. Compromising one layer does not compromise the system.
Infrastructure
Implemented today: all core services run on Google Cloud Platform with dedicated service accounts, encrypted storage, and network-level isolation.
Firebase Hosting serves static assets via global CDN with automatic HTTPS and HSTS.
Cloud Run hosts backend services with automatic scaling, no persistent servers, and container-level isolation.
Cloud Armor provides edge-level WAF protection including SQL injection, XSS, LFI, and RFI detection, plus rate limiting.
No tracking pixels. No data brokers. No advertising cookies. CLI telemetry is opt-out and anonymous. Dashboard analytics (Mixpanel) collect no PII. IP tracking is disabled.
Product security controls
Access controls are built around least privilege, explicit authentication, and environment-level separation.
During staged rollout, access remains gated and reviewed to reduce blast radius while operational controls continue to mature.
The web surface uses strict browser and origin policies to reduce client-side and cross-origin abuse paths.
Security validation includes recurring abuse-case testing, policy checks, and deployment guardrails.
Secret material and credentials are managed outside source control, with no plaintext secrets shipped in client bundles.
In progress and disclosure commitments
We do not claim certification before audit evidence is ready. The items below are active and tracked before launch cutover.
In progress
Public API cutover verification
Public health and submission paths must pass external checks before launch.
In progress
Formal compliance certification
SOC 2 is not claimed today; control maturity evidence will be published as readiness advances.
Implemented controls are publicly summarized and monitored continuously.
Deterministic enforcement path Least-privilege runtime boundaries Contact API abuse controls
Last updated: February 17, 2026
Responsible disclosure
If you discover a security vulnerability in any TAKE INTEREST product or service, please report it responsibly.
Email: security@takeinterest.ai
We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.
We will not pursue legal action against security researchers who report vulnerabilities responsibly and in good faith, follow this disclosure process, and avoid accessing or modifying other users' data.