Manager Toolkit logo

Security and Encryption

How your data is encrypted, where it is stored, and our security practices.

Last updated April 2026

Security is built into every layer of Manager Toolkit. This article explains how your data is protected in transit, at rest, and through the services we use.

Encryption in Transit

All communication between your browser and Manager Toolkit is encrypted using HTTPS (TLS). This means your catchup notes, actions, survey responses, and all other data cannot be intercepted or read by third parties while in transit.

HTTPS is enforced on all connections. There is no option to access Manager Toolkit over an unencrypted connection. This applies to the web application, the API, and all shared links such as survey participation pages and retrospective sessions.

Infrastructure Security

Manager Toolkit runs entirely on Cloudflare infrastructure, which provides enterprise-grade security, DDoS protection, and a global edge network.

Cloudflare Workers

Our API runs on Cloudflare Workers, a serverless platform with built-in isolation between requests.

Cloudflare D1

Your management data is stored in Cloudflare D1 databases with encryption at rest.

Cloudflare Pages

The web application is served from Cloudflare Pages with automatic HTTPS and edge caching.

Global edge network

Requests are handled at the nearest Cloudflare data centre, reducing latency and improving reliability.

Authentication Security

Manager Toolkit uses Clerk for all authentication. This means:

  • Passwords are never stored by Manager Toolkit directly. Clerk handles password hashing and storage using industry-standard algorithms.
  • Sessions are managed using secure, short-lived tokens.
  • Multi-factor authentication (MFA) is supported through Clerk.
  • Google sign-in uses OAuth 2.0, so your Google password is never shared with us.

Payment Security

Payments for Pro subscriptions are handled entirely by Stripe. Manager Toolkit never sees, stores, or processes your card details. Stripe is PCI DSS Level 1 compliant, the highest level of payment security certification.

When you enter payment information during the upgrade process, you are interacting directly with Stripe's secure checkout. Your card number, expiry date, and CVC are transmitted to Stripe and never pass through Manager Toolkit's servers.

Token Encryption

If you connect your Google Calendar to Manager Toolkit, the access tokens used for syncing are encrypted before being stored. These tokens are only used for calendar synchronisation and can be revoked at any time from your profile settings.

Token encryption ensures that even if the underlying storage were compromised, the tokens would not be usable without the corresponding decryption keys. When you disconnect your Google Calendar, the stored tokens are permanently deleted.

Security Practices

We follow secure development practices including parameterised database queries to prevent SQL injection, input sanitisation for AI prompts, and JWT-based API authentication. We regularly review our security posture and address issues promptly.

All user input that is sent to AI models is sanitised to reduce the risk of prompt injection attacks. API endpoints validate authentication tokens on every request, and access is scoped to ensure users can only interact with their own data.

If you discover a security vulnerability or have concerns about the safety of your data, please report it immediately through our contact page. We take all reports seriously and will respond as quickly as possible.

Was this article helpful?