// Trust & Security Report
Appest Inc.
TickTick is a consumer/prosumer to-do list, calendar, and habit-tracking app (web, desktop, mobile) with a Premium subscription tier and a Team/Collaboration feature (shared lists, task assignment); no distinct enterprise/admin-governed tier or API product was found.
Certifications held
1
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ticktick.com“"When absolutely necessary, TickTick uses third party services and hosting partners who are GDPR-compliant" and the policy commits to breach notification "within 72 hours" of a qualifying incident.”
> Show 6 unconfirmed / not-held certifications
source: ticktick.comNo public evidence. TickTick's Security page (https://ticktick.com/security) describes AWS hosting, encryption at rest, firewalls, and backups, but does not mention SOC 2 anywhere.
source: ticktick.comNo public evidence. Not mentioned on the Security page, Privacy Policy, or Terms of Service, and no trust center exists.
source: ticktick.comNo public evidence. No mention of HIPAA, Business Associate Agreements (BAA), or healthcare-specific handling anywhere on the vendor's Security, Privacy, or Terms pages.
source: ticktick.comNo public evidence of this certification; not referenced anywhere on the vendor's site.
source: ticktick.comNo public evidence of this certification; not referenced anywhere on the vendor's site.
source: ticktick.comNo public evidence. Payment details are described only as "stored and encrypted at rest"; no PCI DSS attestation is referenced. Payments are likely processed by a third party (e.g. Stripe, per privacy-policy references), which would carry its own PCI scope rather than TickTick's.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Not explicitly disclosed for general user data. AI features are stated to run on "Amazon Web Services (AWS)" infrastructure "in the United States"; no regional data-residency options (e.g. EU-only storage) are described.
The privacy policy explicitly states for AI features: "your data is neither shared with third-party AI providers nor used to train our models." No opt-out is needed since training is stated not to occur at all; no tier-based distinction (free vs Premium) was found in the policy text captured.
// Security controls
Encryption at rest
"User data, including task details, account information and payment details, are all stored and encrypted at rest."
ticktick.comEncryption in transit
Not explicitly specified with a protocol name (e.g. TLS version) on the vendor's Security page; the page does not detail transit encryption.
ticktick.comInfrastructure / hosting
Hosted on "Amazon Web Services (AWS) in the United States" with "built-in firewalls to protect your data against unauthorized remote access" and "continuous monitoring for potential vulnerabilities."
ticktick.comBackups
Data is "automatically backed up on AWS servers with the capability of providing point-in-time recovery."
ticktick.comBreach notification
Policy states users will be notified within 72 hours after TickTick becomes aware of a qualifying breach likely to create a risk to user rights.
ticktick.comData sharing with third parties
"we will never share your data with third parties without your prior permission" and the policy states personal data will never be sold to third parties.
ticktick.com// Products & data scope
data: Task data, calendar entries, habit-tracking logs, account info (name, email, device/browser info).
Core product; same infrastructure and privacy posture as Premium, feature-gated rather than security-gated.
data: Same data scope as Free plus additional storage/attachment limits and advanced features (unlimited calendar subscriptions, folders, etc.).
data: Task text and, per privacy policy, potentially AI interaction text/audio.
Vendor explicitly states this data is not shared with third-party AI providers and not used to train models; hosted on AWS.
data: Shared task/list data, collaborator identities.
No dedicated enterprise admin console, SSO, or org-wide compliance documentation was found; appears to be a feature within the same consumer product rather than a separate enterprise SKU.
// What to watch
- No SOC 2, ISO 27001, HIPAA, ISO 42001, or CSA STAR evidence found anywhere on the vendor's domain - list as startup-tier posture, not a red flag, but do not display any cert badges.
- Privacy Policy text fetched shows a 'Last Revision: June 24, 2021' date on one crawled variant, which may be stale relative to the AI-training language found (AI features are newer); recommend a human check that the live policy is current before publishing.
- GDPR compliance is described only as a posture via GDPR-compliant subprocessors/partners, not a formal GDPR Article 30 record or DPA document; do not claim 'GDPR certified' since GDPR has no certification scheme.
- No HIPAA BAA or healthcare-specific language found; AIFOXX should not list TickTick as suitable for PHI/healthcare use cases.
- Encryption in transit (TLS) is not explicitly documented on the vendor's own Security page, only encryption at rest; do not over-claim 'end-to-end encrypted' without vendor confirmation.
// At a glance
Pricing model
Freemium: free tier plus paid Premium subscription (and an Education discount); no visible per-seat enterprise pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Appest Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
ticktick.com