Todoist security, privacy, and compliance


In this article, we aim to answer all your questions about how we handle your personal information, the security measures we implement, and our compliance with global regulations like the GDPR. 

Quick tip

Check out our comprehensive Privacy Policy and Security Policy which outlines the measures we take to protect your information in greater detail.

Security

Security refers to the measures and protocols we implement to protect your data from unauthorized access, breaches, and other threats. It encompasses the technical and procedural safeguards we put in place to ensure that your data remains confidential, integral, and available.

We restrict staff access to personal data to a very small number of employees who need access for specific reasons to improve Todoist and Twist.

We regularly test, assess and evaluate the effectiveness of our processes and technology.

We use encryption to safeguard data.

When user data is stored in servers and databases, Doist uses AES 256 encryption. When the data is being sent or received, it is encrypted with TLS 1.1 or above. Data backups on our servers are encrypted with AES256 and signed by RSA with 2048 key length.

Additionally, Todoist creates automatic backups within the app on a daily basis for Pro and Business users. We take the necessary safeguards to ensure that these are well protected by maintaining a security system that prevents unauthorized access.

Since GDPR has various requirements, your compliance needs will depend on your precise circumstances. If you have specific questions or needs, please contact us.

When using Todoist on an individual plan under a default personal workspace, Doist is considered a Data Processor which means that we control how your user data is processed and are responsible for the data to be processed within GDPR. By using our service, you grant Doist the right to share your content with other authorized users within the context of our collaboration features and functionalities. 

By sharing your content with other Todoist users (including in team workspaces or in shared projects within a personal workspace), you grant each of those users the right to access your content through our service, and to use, reproduce, distribute, display, edit, perform, and otherwise interact with such content. When you create or join a team workspace (which in this case is considered organizational), you agree to comply with the policies of the applicable organization and any agreement between you and that organization. It means the organization is the owner of all user content in the respective workspace. All user content in the organizational workspace may be shared with the organization and may be modified, deleted, or accessed by the organization. The organization may terminate your access to the organizational workspace at any time and you may not be able to access your content in that workspace. By transferring any content to the organizational workspace, you grant the organization broad rights to your user content.

We provide full access to data via our API, allowing you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:

https://developer.todoist.com/sync/v7/#getting-started

https://developer.twistapp.com/v2/

Please note that payment information and integrations are not available via our API. In case you want to obtain this information or if you need help exporting your data, get in touch.

User content, such as tasks and comments, resides in our data stores, which get shielded from internet traffic, and have a strict access policy inside the company. 

Access to it is audited, requires multiple layers of authentication, and is only allowed for a valid business purpose. In other words, there's no way for any entitled internal employee to access it without others knowing. The need to access user content is rare. 

Yes, after a while. The system first marks records as deleted before actually deleting them. Soft deletions ensure content is inaccessible by client applications. Hard deletions occur later, deferred in time. The system's behavior supports our multi-device synchronization mechanisms. Records marked as deleted help synchronization algorithms to perform data state conflict resolution.

User content is also present in database backups. They exist for business continuity, in case we ever face a disastrous scenario of data loss, a long period of data unavailability, or data corruption. All data, including backups, are kept encrypted at rest. To date, we have never needed to use database backups.

Database backups do not allow access to each user's data. Instead, we can restore them into a live database, where regular data access controls apply. The backups are rotated automatically and won't last more than 94 days.

Privacy

Privacy refers to how we collect, use, share, and manage your personal data. It involves ensuring that your personal information is used in a way that respects your rights and expectations.

The data we collect is required for us to provide you with our services and is used to improve Twist and Todoist.

When registering for Todoist and/or Twist you voluntarily give us information such as your name and email address. You can access and update this information at any time in your personal Account Settings.

In addition, when you use our services, you give us consent to use the following data:

  • Email
  • IP address
  • Device ID
  • Name and surname (optional, not processed)
  • Job (optional, not processed)
  • Phone number (optional, not processed)
  • VAT ID (optional)
  • Invoice address (for Pro and Business accounts)

To have your personal data exported, please contact us.

We provide full access to data via our API, allowing you to obtain the personal data that was provided to us and/or transfer it to another controller. You can find our API for Twist and Todoist here:

Note that payment information and integrations are not available via our API. In case you want to obtain this information, get in touch.

No, we never sell data.

Upon deleting your account, all your personal data will be removed from our production systems. Only an encrypted copy of your data will remain on our backup archives for 90 days. After this period, all data associated with your account will be deleted permanently. Please note that we don't provide the encrypted copy from our backup archives upon request. 

We use cookies to collect information about your browsing activities and to distinguish you from other Todoist users. This aids your experience when using our app as well as allows us to improve its functionality.

We use the following cookies:

  • Strictly necessary cookies: required to perform your login functionality, user authentication, and security;
  • Functional cookies: used to recognize you when you return to our website and personalize our content for you, greet you by name, and remember your preference;
  • Analytical and advertising cookies: used to help us understand how users engage with our product. We use a handful of third-party cookies: Google Analytics (analyzing website traffic and user behavior), Datadog (monitoring web performance and user experience), Stripe (handling payments and pricing/upgrade page), Zendesk (loading images and providing support or Help Center), YouTube (displaying videos on Help Center pages), Cloudinary (loading and optimizing images).

We use GDPR-compliant third-party services and hosting partners such as Stripe, AWS, and Google Workspace. In these cases, we take the necessary safeguards to ensure that we are GDPR compliant when sending and receiving data from a third party. Check out Todoist’s security and privacy policies and Twist’s security and privacy policies for more information.

When necessary, we use the following GDPR-compliant third-party services:

  • Amazon Web Services
  • ChartMogul
  • CloudBees Rollout
  • Datadog
  • Meta (Facebook)
  • Firebase
  • Google Analytics
  • HubSpot
  • MailChimp
  • Mailgun
  • Microsoft Azure
  • Microsoft Visual Studio App Center
  • PartnerStack
  • ProfitWell
  • Qualaroo
  • RequestMetrics
  • SendGrid
  • Sentry
  • Stripe
  • Zendesk

Yes, we do. We process data in North Virginia, USA using Amazon Web Services (AWS). We only collect as little data as possible, and all data is encrypted using AES 256 encryption.

Compliance

Compliance refers to our adherence to laws, regulations, and standards that govern how we handle your data. It ensures that our practices align with legal and regulatory requirements to protect your rights as a user. Compliance involves demonstrating that we follow these rules and can be held accountable for maintaining them.

GDPR

At Doist, we're fully compliant as of May 25th, 2018. The General Data Protection Regulation (GDPR) is a regulation designed to help citizens and residents of the European Union (EU) protect their personal data by specifying how such data may be collected, processed, and stored. 

Yes, from our end. Of course, if your customers are in a location where the GDPR applies, they need to make sure their business operation is compliant with the GDPR in its own right.

Yes, we offer a DPA that's pre-signed on behalf of Doist. It can be completed by filling out your details and signing it here.

SOC 2 and HIPAA

Currently, we have not yet pursued a SOC2 or HIPAA certification. That said, we’d love to learn more about any compliance certifications you and your team require to adopt Todoist. Let us know!

Get in touch

Do you have any unanswered questions? Get in touch. We — Pierre, Marco, Diane, or another one of our 14 teammates — are happy to answer them!