// Trust & Security Report

    Doist Inc. logo

    Doist Inc.

    Todoist, a consumer/team to-do list and task management app (Free/Beginner, Pro, Business tiers), plus AI features under the "Todoist Assist" umbrella (Task Assist, Filter Assist, Email Assist, and the voice-to-task "Ramble" feature). Doist also makes a separate team-chat product, Twist, which is out of scope for this assessment.

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Enterprise-grade security with SOC2 Type II certification. Todoist meets the compliance standards your company requires, without the complexity.

    Verify on todoist.com
    SOC 2 Type II (product update confirmation)
    HELD

    Todoist is now SOC 2 Type II compliant. That means enterprise-grade data protection and security controls for teams who need them.

    Verify on todoist.com
    GDPR (compliance posture, not a certification)
    HELD

    When you are using Doist Services as a member of an organization that is a customer of Doist ... we are a data processor ... Your Information will be processed by our employees and service providers in the U.S. [transfers use] European Commission-approved or UK Government-approved Standard Contractual Clauses.

    Verify on doist.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence: Todoist's own security page (todoist.com/security) lists TLS/AES encryption, AWS hosting, and OAuth 2.0, and directs readers to the trust center for further compliance detail, but does not mention ISO 27001 anywhere. A third-party vendor-risk listing (Nudge Security) separately claims 'ISO 27001 compliant,' but this is not corroborated on any Doist-owned domain, so it is not counted as held.

    source: todoist.com
    HIPAA
    NOT CONFIRMED

    No public evidence: the vendor's own security page (todoist.com/security) makes no mention of HIPAA. Search-indexed vendor help content (attributed to Todoist's 'security, privacy, and compliance' help article) states Todoist 'has not yet pursued HIPAA certification'; the specific article could not be independently re-rendered at time of review due to a client-side redirect to the generic Help Center homepage.

    source: todoist.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found. Payment processing is delegated to Stripe (a subprocessor); no PCI DSS claim is made by Doist itself on its own domains.

    source: doist.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence found on any Doist-owned domain (security page, trust center summary, or Todoist Assist page). No AI-governance certification is claimed.

    source: todoist.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any Doist-owned domain.

    source: todoist.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary processing is U.S.-based (Doist's own employees/service providers); cloud subprocessors include AWS, Microsoft Azure, and Google Cloud. EEA/UK-to-US transfers rely on Standard Contractual Clauses. No dedicated EU-only data residency option was found.

    Doist's privacy policy states plainly: 'we do not use information we collect from you, including via artificial intelligence tools, to develop, improve, or train generalized/non-personalized artificial intelligence or machine learning models.' The Todoist Assist product page reinforces this: 'No peeking, auditing, or training on your data,' and says Doist only partners with AI providers who 'have explicitly committed that data processed through their services will not be used to train their models,' and that AI traffic is routed through Doist's own infrastructure rather than sent directly to the underlying model provider. Ramble (voice-to-task) audio is stated to be 'never stored or used for model training.' Most Assist features are on by default and optional to disable; Email Assist is the one feature that is explicitly opt-in/opt-out. No tier-based difference in the training policy itself was found (the policy is uniform); tiers differ only in which Assist features are unlocked. A DPA is reported (via vendor help content) to be available pre-signed by Doist for business customers, though the exact help-article page could not be independently re-rendered to quote it verbatim.

    // Security controls

    Encryption in transit

    TLS 1.2 and 1.3, with 128-bit or 256-bit cipher configurations

    todoist.com

    Encryption at rest

    Projects, tasks, comments, account information, and payment information are stored and encrypted at rest; files uploaded after April 11, 2016 are encrypted (earlier files rely on AWS firewall protection only)

    todoist.com

    Authentication

    OAuth 2.0 and email/password login with salted password storage

    todoist.com

    Hosting / infrastructure

    Primary hosting on Amazon Web Services (AWS); additional processing subprocessors include Microsoft Azure and Google Cloud

    todoist.com

    Vulnerability reporting

    Public 'submit a vulnerability' contact channel is available on the security page (no formal public bug-bounty program disclosed on-domain)

    todoist.com

    Subprocessors (partial, from privacy policy)

    AWS, Microsoft Azure, Google Cloud (hosting); Stripe (payments); Zendesk (support); Google LLC (analytics); SendGrid, Mailgun, Mailchimp (email)

    doist.com

    // Products & data scope

    Todoist (Free / Beginner)Personal to-do list

    data: Individual account: tasks, projects, personal productivity data

    Consumer tier; SOC 2 Type II marketing language is shown on the general marketing/pricing pages but the certification is emphasized specifically in the Business context.

    Todoist ProPersonal to-do list, paid

    data: Individual account with expanded limits (300 projects, filters, activity history) plus AI Assist features

    Same data-handling and AI-training posture as Free tier; adds Task Assist and unlimited Ramble.

    Todoist Business (Teams)Team/workspace task management

    data: Shared team workspace: team projects, activity logs, member roles and permissions, centralized billing

    This is the tier the vendor explicitly ties to 'Enterprise-grade security with SOC2 Type II certification' on the pricing page; treat the SOC 2 claim as scoped to the Business/Teams product surface unless the trust center states otherwise.

    Todoist Assist (Task Assist, Filter Assist, Email Assist, Ramble)In-product AI features

    data: Task text, natural-language input, and (for Ramble) voice audio, processed via Doist-operated infrastructure in front of third-party AI providers

    Vendor states no training on customer data for these features; some basic features (e.g., Filter Assist) are available on all tiers, more advanced capabilities require a paid plan.

    Developer APIAPI access

    data: Programmatic access to a user's/team's task data

    Referenced in site footer; no separate compliance documentation found distinct from the core product.

    // What to watch

    • The SOC 2 Type II claim is well corroborated on the vendor's own domain (homepage and a dated help-center product-update article), but the pricing page ties the 'Enterprise-grade security' language specifically to the Business/Teams tier - AIFOXX should label the cert as scoped to Business/Teams rather than implying it covers every tier equally, pending confirmation from the trust center.
    • A third-party vendor-risk site (Nudge Security) lists Todoist as 'ISO 27001 compliant,' but this is not corroborated anywhere on todoist.com or doist.com. Graded as not held; flagging as a possible over-claim/conflation risk from an aggregator rather than the vendor.
    • Doist's trust center (trustcenter.doist.com) is a JavaScript-rendered single-page app; automated fetch tools could only retrieve the page shell ('Doist Trust Center' heading) and not the underlying certification/document list. A human reviewer with a browser should verify the full cert list and download the SOC 2 report and subprocessor list directly from the trust center before final publication.
    • The HIPAA 'not pursued' statement is corroborated via search-indexed vendor help content but the specific help article could not be independently re-rendered (it redirected to the generic Help Center homepage on fetch); grading is additionally supported by the absence of any HIPAA mention on the directly-fetched security page.
    • The DPA availability claim (pre-signed DPA offered by Doist) is consistently reported across multiple search results as sourced from Todoist's own help content, but could not be verified with a first-hand verbatim quote due to the same rendering issue noted above.
    • AI-training posture is clearly and consistently stated as 'no training on customer data' across both the general privacy policy (doist.com/privacy) and the AI-specific product page (todoist.com/todoist-assist) - no contradiction found between legacy ToS language and current AI-page language.

    // At a glance

    Pricing model

    Freemium: free Beginner tier, paid Pro (individual) and Business (per-seat team) subscription tiers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Doist Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trustcenter.doist.com

    > Browse all vendor trust reports