// Trust & Security Report

    Appest Inc. logo

    Appest Inc.

    TickTick is a consumer/prosumer to-do list, calendar, and habit-tracking app (web, desktop, mobile) with a Premium subscription tier and a Team/Collaboration feature (shared lists, task assignment); no distinct enterprise/admin-governed tier or API product was found.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture, not a certification)
    HELD

    "When absolutely necessary, TickTick uses third party services and hosting partners who are GDPR-compliant" and the policy commits to breach notification "within 72 hours" of a qualifying incident.

    Verify on ticktick.com
    > Show 6 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. TickTick's Security page (https://ticktick.com/security) describes AWS hosting, encryption at rest, firewalls, and backups, but does not mention SOC 2 anywhere.

    source: ticktick.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. Not mentioned on the Security page, Privacy Policy, or Terms of Service, and no trust center exists.

    source: ticktick.com
    HIPAA
    NOT CONFIRMED

    No public evidence. No mention of HIPAA, Business Associate Agreements (BAA), or healthcare-specific handling anywhere on the vendor's Security, Privacy, or Terms pages.

    source: ticktick.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of this certification; not referenced anywhere on the vendor's site.

    source: ticktick.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of this certification; not referenced anywhere on the vendor's site.

    source: ticktick.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Payment details are described only as "stored and encrypted at rest"; no PCI DSS attestation is referenced. Payments are likely processed by a third party (e.g. Stripe, per privacy-policy references), which would carry its own PCI scope rather than TickTick's.

    source: ticktick.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Not explicitly disclosed for general user data. AI features are stated to run on "Amazon Web Services (AWS)" infrastructure "in the United States"; no regional data-residency options (e.g. EU-only storage) are described.

    The privacy policy explicitly states for AI features: "your data is neither shared with third-party AI providers nor used to train our models." No opt-out is needed since training is stated not to occur at all; no tier-based distinction (free vs Premium) was found in the policy text captured.

    // Security controls

    Encryption at rest

    "User data, including task details, account information and payment details, are all stored and encrypted at rest."

    ticktick.com

    Encryption in transit

    Not explicitly specified with a protocol name (e.g. TLS version) on the vendor's Security page; the page does not detail transit encryption.

    ticktick.com

    Infrastructure / hosting

    Hosted on "Amazon Web Services (AWS) in the United States" with "built-in firewalls to protect your data against unauthorized remote access" and "continuous monitoring for potential vulnerabilities."

    ticktick.com

    Backups

    Data is "automatically backed up on AWS servers with the capability of providing point-in-time recovery."

    ticktick.com

    Breach notification

    Policy states users will be notified within 72 hours after TickTick becomes aware of a qualifying breach likely to create a risk to user rights.

    ticktick.com

    Data sharing with third parties

    "we will never share your data with third parties without your prior permission" and the policy states personal data will never be sold to third parties.

    ticktick.com

    // Products & data scope

    TickTick (Free)Consumer to-do list / calendar app

    data: Task data, calendar entries, habit-tracking logs, account info (name, email, device/browser info).

    Core product; same infrastructure and privacy posture as Premium, feature-gated rather than security-gated.

    TickTick PremiumConsumer subscription tier

    data: Same data scope as Free plus additional storage/attachment limits and advanced features (unlimited calendar subscriptions, folders, etc.).

    TickTick AI featuresAI-assisted task creation / NLP date parsing

    data: Task text and, per privacy policy, potentially AI interaction text/audio.

    Vendor explicitly states this data is not shared with third-party AI providers and not used to train models; hosted on AWS.

    TickTick Team / CollaborationShared lists and task assignment for small groups

    data: Shared task/list data, collaborator identities.

    No dedicated enterprise admin console, SSO, or org-wide compliance documentation was found; appears to be a feature within the same consumer product rather than a separate enterprise SKU.

    // What to watch

    • No SOC 2, ISO 27001, HIPAA, ISO 42001, or CSA STAR evidence found anywhere on the vendor's domain - list as startup-tier posture, not a red flag, but do not display any cert badges.
    • Privacy Policy text fetched shows a 'Last Revision: June 24, 2021' date on one crawled variant, which may be stale relative to the AI-training language found (AI features are newer); recommend a human check that the live policy is current before publishing.
    • GDPR compliance is described only as a posture via GDPR-compliant subprocessors/partners, not a formal GDPR Article 30 record or DPA document; do not claim 'GDPR certified' since GDPR has no certification scheme.
    • No HIPAA BAA or healthcare-specific language found; AIFOXX should not list TickTick as suitable for PHI/healthcare use cases.
    • Encryption in transit (TLS) is not explicitly documented on the vendor's own Security page, only encryption at rest; do not over-claim 'end-to-end encrypted' without vendor confirmation.

    // At a glance

    Pricing model

    Freemium: free tier plus paid Premium subscription (and an Education discount); no visible per-seat enterprise pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Appest Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ticktick.com

    > Browse all vendor trust reports