as a Premium Customer, all your data is being transferred to and from Todoist using a 256-bit SSL encryption (certificate verified by Equifax, see - Right-click -> Page Info -> Security for more details) and is being backed up daily. Soon, we will introduce an option to store your data locally on your computer.
Right now, the data is stored on our hosting provider: Amazon Web Services. For more detailed information about AWS' security please visit this page:
I'm not so concerned about SSL or your server protocols, but I noticed you don't have users re-authenticate before changing username, email, or password. Kind of a 101 for security.
Specifically, are you hashing our passwords and adding a unique salt? Can you discuss a bit about steps you've taken to make the application level secure?
Yes, we are hashing your passwords and using an unique salt. For hashing we are currently using sha1, but we may change to bcrypt soon.