Todoist Security Policy
From confidential business proposals to personal home projects, our users trust us to keep their data secure, private, and available whenever they need it. We take that responsibility seriously.
At Todoist, we maintain a security system that:
- Prevents all unauthorized access;
- Supports continuous monitoring for potential vulnerabilities; and
- Embraces ongoing, proactive improvement to stay on top of the latest security tools and threats.
All user data including project names, task names, comments, uploaded files, account information, and payment information are sent using industry best practices regarding traffic: Specifically, we use TLS 1.1-1.2 secure channels and support both 128-bit or 256-bit configurations, depending on the browser.
We use Amazon Web Services (AWS) servers to host all user data. We make extensive use of their built-in firewalls to protect your data against unauthorized remote access.
Projects, tasks, comments, account information, and payment information are all stored and encrypted at rest.
All files uploaded after April 11, 2016 are stored and encrypted at rest. Encrypting these files adds an additional layer of security. Files uploaded prior to this date are still fully protected from unauthorized physical and remote access by AWS firewalls.
AWS data centers undergo annual certifications to ensure they meet the highest standards of physical and virtual security. You can find more information on AWS security practices at http://aws.amazon.com/security/.
All data included in Dropbox and Google Drive attachments remain on those companies’ servers and are covered by their respective security policies and practices.
All user data is automatically backed up on AWS servers with the capability to provide point-in-time recovery down to the second.
Additionally, Todoist creates automatic backups within the app on a daily basis. You can also create a backup at any time. These backups can be accessed in Account Settings and can be used to recover data for any project or task. You can find more information about how backups work here.
Report a Vulnerability
If you have discovered a security vulnerability on Todoist, please let us know right away on email@example.com. We will do our best to fix these right away.
We verify account access through both email/password-based authentication and Google Accounts authentication via OAuth 2.0.
When email/password-based authentication is used, we always store individuals passwords with unique salts to add an extra layer of protection to your account.
Alternatively, OAuth provides a seamless way to create and access your account without Todoist ever needing to access or store your Google login credentials.
Todoist Business Admin Controls
For Todoist Business accounts, we provide two different user roles and access privileges: admin and user.
Account administrators have access to the central control panel to manage billing information, users, and sharing settings. Access to any shared projects must be granted by the account administrator from the control panel.
Sharing Settings allows the administrator to choose between restricting sharing to only employees within the organization or allowing sharing outside of the organization (e.g., with clients, vendors, etc.).