// Trust & Security Report

    Any.do Inc. logo

    Any.do Inc.

    Task management and collaboration platform with personal, family, and team tiers. Includes task lists, calendar integration, AI assistant (does not train on customer data), integrations with 6000+ apps, and team collaboration features.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR Compliance Posture
    HELD

    Privacy policy states: 'access from Israel is covered by the Adequacy Decision issued by the European Commission about Israel.' GDPR data processing practices documented in privacy policy.

    Verify on any.do
    > Show 5 unconfirmed / not-held certifications
    SOC 2 (Type 1 or Type 2)
    NOT CONFIRMED

    No public evidence. Web search and vendor domain review found no mention of SOC 2 certification.

    source: any.do
    ISO 27001
    NOT CONFIRMED

    No public evidence. No ISO 27001 certification mentioned in privacy policy, help center, or public documentation.

    source: any.do
    HIPAA
    NOT CONFIRMED

    No public evidence. Not mentioned in any accessible vendor documentation.

    source: any.do
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not mentioned in vendor documentation.

    source: any.do
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not applicable for this vendor based on public documentation.

    source: any.do

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Not publicly specified. Company headquartered in Tel Aviv, Israel. No data residency options mentioned.

    Any.do explicitly states in their privacy policy: 'we do not use or retain data obtained through these APIs to train, improve, or develop non-personalized machine learning (ML) or artificial intelligence (AI) models.' The platform includes an AI assistant feature that does not train on customer data.

    // Security controls

    Encryption in Transit

    Yes, stated as 'Data is encrypted in transit when syncing between devices and Any.do servers.' Specific standard (TLS version) not specified.

    support.any.do

    Encryption at Rest

    Not explicitly documented. Privacy policy mentions 'appropriate technical, organizational and security measures' but does not specify encryption at rest details.

    any.do

    Two-Factor Authentication

    Available. Security code sent to email on new device session.

    support.any.do

    Data Center Locations

    Not publicly specified.

    any.do

    Vulnerability Disclosure / Bug Bounty

    Not mentioned in public documentation.

    any.do

    // Products & data scope

    Any.do PersonalIndividual task management

    data: Personal tasks, lists, reminders, calendar integration

    Free tier available. Freemium model. No special security considerations vs team tier.

    Any.do FamilyFamily collaboration

    data: Shared family boards, grocery lists, household projects, family member tasks

    Shared but private to family members. Same underlying infrastructure as personal tier.

    Any.do Team/WorkspaceTeam collaboration and project management

    data: Team projects, boards, task assignments, shared calendars, integrations with 6000+ apps

    Paid tier. No mention of enterprise-grade security features or SLA-based support. Same compliance posture as personal tier.

    // What to watch

    • No enterprise-grade certifications (SOC 2, ISO 27001) despite 40M+ user base. Suggests product positioned for consumers/SMBs, not enterprise.
    • Company has ~15 employees managing 40M+ users, indicating lean infrastructure team. Raises questions about security operations maturity.
    • Encryption at rest not explicitly documented. Privacy policy only mentions 'appropriate measures' without specifics.
    • No Data Processing Agreement (DPA) mentioned or linked in privacy policy. May hinder B2B enterprise sales requiring DPA.
    • Privacy policy includes broad liability disclaimers: 'we cannot guarantee that the information will not be exposed as a result of unauthorized penetration to our servers.' This is a notable caveat on data protection promises.
    • No dedicated trust center or security documentation page. Security information scattered across help articles and legal docs.
    • Data center locations and infrastructure providers not publicly disclosed.
    • No vulnerability disclosure program or bug bounty program mentioned.
    • Headquartered in Israel (outside EU/US data hub). May trigger data residency concerns for some enterprise customers despite adequacy decision.

    // At a glance

    Pricing model

    Freemium with paid premium tiers. No per-seat pricing detailed in public docs.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Any.do Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    any.do

    > Browse all vendor trust reports