Deterministic enforcement path
Critical allow/deny controls run by policy rules before sensitive execution.
Security at TAKE INTEREST
TAKE INTEREST enforces a zero-trust security architecture with deterministic policy enforcement — no LLMs in the security decision path. All controls are auditable, repeatable, and privacy-first. This page documents what is implemented, what is in progress, and how to report vulnerabilities responsibly.
Implemented In progress Disclosure path
Last updated: February 17, 2026
Implemented security principles
Zero-trust by default
Deny by default. Every action requires explicit authorization. No implicit trust between components.
Deterministic enforcement
Security decisions are made by deterministic policy rules, not probabilistic LLM inference. Predictable. Auditable. Repeatable.
Privacy-first
Minimal data collection. No tracking pixels or advertising cookies. Anonymous analytics only. User data is encrypted at rest and in transit. Your data stays yours.
Defense in depth
Multiple independent layers of protection. Compromising one layer does not compromise the system.
Infrastructure
Implemented today: all core services run on Google Cloud Platform with dedicated service accounts, encrypted storage, and network-level isolation.
Firebase Hosting serves static assets via global CDN with automatic HTTPS and HSTS.
Cloud Run hosts backend services with automatic scaling, no persistent servers, and container-level isolation.
Cloud Armor provides edge-level WAF protection including SQL injection, XSS, LFI, and RFI detection, plus rate limiting.
No tracking pixels. No data brokers. No advertising cookies. CLI telemetry is opt-out and anonymous. Dashboard analytics (Mixpanel) collect no PII. IP tracking is disabled.
Product security controls
Access controls are built around least privilege, explicit authentication, and environment-level separation.
During staged rollout, access remains gated and reviewed to reduce blast radius while operational controls continue to mature.
The web surface uses strict browser and origin policies to reduce client-side and cross-origin abuse paths.
Security validation includes recurring abuse-case testing, policy checks, and deployment guardrails.
Secret material and credentials are managed outside source control, with no plaintext secrets shipped in client bundles.
Security commitments
The controls below are actively maintained and monitored.
Least-privilege runtime boundaries
Service-to-service access is isolated with explicit credentials and scoped permissions.
Contact API abuse controls
Turnstile, payload validation, and rate limiting are implemented in the Worker path.
Production alerting and on-call rotation
Production alert routing and on-call ownership for all critical paths.
External verification of public endpoints
Public health and submission paths validated through external checks.
Compliance readiness program
Control maturity evidence published as readiness advances.
Last updated: February 17, 2026
Responsible disclosure
If you discover a security vulnerability in any TAKE INTEREST product or service, please report it responsibly.
Email: security@takeinterest.ai
We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.
We will not pursue legal action against security researchers who report vulnerabilities responsibly and in good faith, follow this disclosure process, and avoid accessing or modifying other users' data.
Frequently asked questions
What is TAKE INTEREST's security architecture?
TAKE INTEREST uses a zero-trust architecture with deterministic enforcement. All security decisions are made by policy rules, not probabilistic AI. The system runs locally in your infrastructure, keeps no raw data externally, and produces cryptographic audit trails for every security-relevant action.
How does TAKE INTEREST handle user data?
User data stays in your infrastructure by default. TAKE INTEREST follows privacy-first principles: anonymous telemetry (decision counts, threat scores, strictness level, threshold, timing) is enabled by default to improve security patterns and can be disabled at any time. No raw prompts, commands, file paths, or PII are ever collected through telemetry. All data processing respects configurable boundaries.
Does TAKE INTEREST use LLMs in its security path?
No. TAKE INTEREST deliberately excludes LLMs from the security decision path. All enforcement is deterministic — pattern matching, policy rules, scope validation, and cryptographic receipt chains. This ensures security outcomes are repeatable and not vulnerable to prompt injection or model drift.
How do I report a security vulnerability?
Send vulnerability reports to security@takeinterest.ai. Include a description of the issue, steps to reproduce, and any relevant logs or screenshots. We acknowledge reports within 48 hours and aim to provide a resolution timeline within 5 business days. We do not pursue legal action against good-faith security researchers.
What compliance frameworks does TAKE INTEREST follow?
TAKE INTEREST is building toward SOC 2 Type II compliance. Current implemented controls include encryption at rest and in transit, role-based access control, audit logging, and secure development practices. The security posture page documents what is implemented, what is in progress, and what is planned.