+ Add Question

Security Client Side and Server Side

VL

I am interested in using this for work, but have a few security concerns that i'd like clarified. I understand that data is transmitted securely. Is the data itself encrypted on the server side? I understand that you use AWS and that it is an option, but I've never seen anywhere where it explicitly states that it is in fact encrypted on the server side. Also, is it encrypted at the client side first before it is sent to there server? Thanks.

All responses

David Trey staff
Replied on Feb 06, 2014 - 17:45

Hello Victor,

SSL encrypts the data that's been transferred for the transfer. That is, as you send it, it gets encrypted, sent in en encrypted form and decrypted internally by the server.

Furthermore, we can assure you that neither we, nor anyone else is ever accessing any user data at any time.


Best regards,
David

VL
Victor Lam
Replied on Feb 06, 2014 - 17:56

Thanks David for the answer. To clarify, on the server side, all of my task entries and attachments are not encrypted? Are they stored in plain text or are they encoded somehow so that if someone happens to see it during some kind of maintenance internally my information is not displayed ?

David Trey staff
Replied on Feb 06, 2014 - 18:03

Victor,

As on the majority of cloud-based services, the data itself once it reaches the secure server is not additionally encrypted. It's not possible that someone would access it, though. We never do and Amazon Web Services have a lot of very high security and privacy standards and certificates, we're confident that they're not accessing their customers' databases and read data in them.


Best regards,
David

Lidor Wyssocky premium
Replied on May 04, 2014 - 18:48

Hi David,

I just saw that Amazon web services enables the encryption of data on their servers (see: https://aws.amazon.com/s3/faqs/).

Just wondering, if there's any plan to use this ability to further protect users' data.

Thanks,
Lidor

Brendon Wadey staff
Replied on May 05, 2014 - 02:50

Lidor,

I am not sure what you are referring to from Amazon, their services are already encrypted and as secure as it can be, which is why we and many other large companies use them as our backend.

Any major changes to security and there backend is almost always automatic for anyone using it.

Regards,
Brendon.

Lidor Wyssocky premium
Replied on May 05, 2014 - 11:59

According to the response above, the data is not encrypted on the server. From what I read Amazon's Server Side Encryption is optional, but I might have not understood correctly...

Regards,
Lidor

Brendon Wadey staff
Replied on May 05, 2014 - 18:05

Lidor,

You are correct, it does appear to be something as an option. We have passed this along to everyone and are looking into it. We most likely will add this into everything that needs it, as we try to always be as secure as possible.

Regards,
Brendon.

Andreas N. premium
Replied on May 06, 2014 - 15:48

Now I am a bit confused. :-S

In this thread http://todoist.com/Support/show/25471/ you said that all data on AWS is encrypted.

So I thought that the AWS encryption is turned on? Isn't it?

Brendon Wadey staff
Replied on May 06, 2014 - 16:40

Andreas,

Yes, on the way to the server it's encrypted before it leaves and decrypted once it gets there. This new update allows the files you attach to be encrypted at all times. This is specifically about files. Now in terms of access to your account and how to log in and all that, it's all encrypted at all times.

I hope that clears it up?

Regards,
Brendon.

Andreas N. premium
Replied on May 06, 2014 - 16:46

Thank you Brendon for the clarification!

That means the files are already stored in an encrypted form on AWS or is it planned for the future? In the old thread you said that files are already encrypted in rest.

As far as I understood, the task information is not stored in an encrypted form. Is it planned with the AWS encryption option?

Brendon Wadey staff
Replied on May 06, 2014 - 16:55

Andreas,

It's a bit complicated as there are a few stages of where the files are and how they get from one place to another. I can say that all encryption options that are available, and will be available are going to get added. We take security very seriously.

When I mentioned it rest in encryption, simply meaning that with SSL and how browsers work and the different stages/layers its technically encrypted, at least your account is. Now with this new update, each file will be encrypted, on top of your account already being encrypted (SSL password encryption). So when you access the file, when you don't touch the file, anything, it's still encrypted.

Regards,
Brendon.

Andreas N. premium
Replied on May 07, 2014 - 07:44

Okay, thank you Brendon! :-)

A
AS
Replied on May 11, 2014 - 19:25

Is all data at rest, including the text and files uploaded or inputted, encrypted on the server? This includes both the text inputs into Todoist (such as Task and Project names) and attached files.

David Trey staff
Replied on May 12, 2014 - 12:22

Hello AS,

This data is not stored in an encrypted format, neither on the server end, nor in your browser where all your tasks and projects are cached using HTML5, but we can assure you that no one has access to it at all and all communication to and from Todoist is fully encrypted.


Best regards,
David

L
Lennard premium
Replied on Jun 08, 2014 - 20:22

Hi,

your greatesl advantage over Google Keep is, that you are not Google and that I don't wish to hand them my life's daily business on a silver plate. So you should consider it a major advantage and a plus for possible customers to show that you care for the data security of your customers. "We can assure you that we don't look into your data" is not a way to build trust. "We use <insert strong open encryption standard>" is.

So if you want to count me and others who are interested in the safety of their data amoung your customers, please make this a priority.

Lennard

SB
Søren Bjørnsgaard Kristensen premium
Replied on Jul 31, 2014 - 06:28

Hi Todoist,

Thank you for a very good tool.

Waiting to hear your response to Lennards input and plans to enable server side encryption?

Soeren

Clyde Romo staff
Replied on Jul 31, 2014 - 09:52

Hi Soeren,

Here's a summary of information for data security.

- the data is stored on our hosting provider: Amazon Web Services. For more detailed information about AWS' security please visit this page: http://aws.amazon.com/security/
- we use a 256-bit SSL key
- we are hashing your passwords and using an unique salt. For hashing we are currently using sha1, but we may change to bcrypt soon.


Regards,
Clyde