// Trust & Security Report
Doist Inc.
Todoist, a consumer/team to-do list and task management app (Free/Beginner, Pro, Business tiers), plus AI features under the "Todoist Assist" umbrella (Task Assist, Filter Assist, Email Assist, and the voice-to-task "Ramble" feature). Doist also makes a separate team-chat product, Twist, which is out of scope for this assessment.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on todoist.com“Enterprise-grade security with SOC2 Type II certification. Todoist meets the compliance standards your company requires, without the complexity.”
Verify on todoist.com“Todoist is now SOC 2 Type II compliant. That means enterprise-grade data protection and security controls for teams who need them.”
Verify on doist.com“When you are using Doist Services as a member of an organization that is a customer of Doist ... we are a data processor ... Your Information will be processed by our employees and service providers in the U.S. [transfers use] European Commission-approved or UK Government-approved Standard Contractual Clauses.”
> Show 5 unconfirmed / not-held certifications
source: todoist.comNo public evidence: Todoist's own security page (todoist.com/security) lists TLS/AES encryption, AWS hosting, and OAuth 2.0, and directs readers to the trust center for further compliance detail, but does not mention ISO 27001 anywhere. A third-party vendor-risk listing (Nudge Security) separately claims 'ISO 27001 compliant,' but this is not corroborated on any Doist-owned domain, so it is not counted as held.
source: todoist.comNo public evidence: the vendor's own security page (todoist.com/security) makes no mention of HIPAA. Search-indexed vendor help content (attributed to Todoist's 'security, privacy, and compliance' help article) states Todoist 'has not yet pursued HIPAA certification'; the specific article could not be independently re-rendered at time of review due to a client-side redirect to the generic Help Center homepage.
source: doist.comNo public evidence found. Payment processing is delegated to Stripe (a subprocessor); no PCI DSS claim is made by Doist itself on its own domains.
source: todoist.comNo public evidence found on any Doist-owned domain (security page, trust center summary, or Todoist Assist page). No AI-governance certification is claimed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary processing is U.S.-based (Doist's own employees/service providers); cloud subprocessors include AWS, Microsoft Azure, and Google Cloud. EEA/UK-to-US transfers rely on Standard Contractual Clauses. No dedicated EU-only data residency option was found.
Doist's privacy policy states plainly: 'we do not use information we collect from you, including via artificial intelligence tools, to develop, improve, or train generalized/non-personalized artificial intelligence or machine learning models.' The Todoist Assist product page reinforces this: 'No peeking, auditing, or training on your data,' and says Doist only partners with AI providers who 'have explicitly committed that data processed through their services will not be used to train their models,' and that AI traffic is routed through Doist's own infrastructure rather than sent directly to the underlying model provider. Ramble (voice-to-task) audio is stated to be 'never stored or used for model training.' Most Assist features are on by default and optional to disable; Email Assist is the one feature that is explicitly opt-in/opt-out. No tier-based difference in the training policy itself was found (the policy is uniform); tiers differ only in which Assist features are unlocked. A DPA is reported (via vendor help content) to be available pre-signed by Doist for business customers, though the exact help-article page could not be independently re-rendered to quote it verbatim.
// Security controls
Encryption at rest
Projects, tasks, comments, account information, and payment information are stored and encrypted at rest; files uploaded after April 11, 2016 are encrypted (earlier files rely on AWS firewall protection only)
todoist.comHosting / infrastructure
Primary hosting on Amazon Web Services (AWS); additional processing subprocessors include Microsoft Azure and Google Cloud
todoist.comVulnerability reporting
Public 'submit a vulnerability' contact channel is available on the security page (no formal public bug-bounty program disclosed on-domain)
todoist.comSubprocessors (partial, from privacy policy)
AWS, Microsoft Azure, Google Cloud (hosting); Stripe (payments); Zendesk (support); Google LLC (analytics); SendGrid, Mailgun, Mailchimp (email)
doist.com// Products & data scope
data: Individual account: tasks, projects, personal productivity data
Consumer tier; SOC 2 Type II marketing language is shown on the general marketing/pricing pages but the certification is emphasized specifically in the Business context.
data: Individual account with expanded limits (300 projects, filters, activity history) plus AI Assist features
Same data-handling and AI-training posture as Free tier; adds Task Assist and unlimited Ramble.
data: Shared team workspace: team projects, activity logs, member roles and permissions, centralized billing
This is the tier the vendor explicitly ties to 'Enterprise-grade security with SOC2 Type II certification' on the pricing page; treat the SOC 2 claim as scoped to the Business/Teams product surface unless the trust center states otherwise.
data: Task text, natural-language input, and (for Ramble) voice audio, processed via Doist-operated infrastructure in front of third-party AI providers
Vendor states no training on customer data for these features; some basic features (e.g., Filter Assist) are available on all tiers, more advanced capabilities require a paid plan.
data: Programmatic access to a user's/team's task data
Referenced in site footer; no separate compliance documentation found distinct from the core product.
// What to watch
- The SOC 2 Type II claim is well corroborated on the vendor's own domain (homepage and a dated help-center product-update article), but the pricing page ties the 'Enterprise-grade security' language specifically to the Business/Teams tier - AIFOXX should label the cert as scoped to Business/Teams rather than implying it covers every tier equally, pending confirmation from the trust center.
- A third-party vendor-risk site (Nudge Security) lists Todoist as 'ISO 27001 compliant,' but this is not corroborated anywhere on todoist.com or doist.com. Graded as not held; flagging as a possible over-claim/conflation risk from an aggregator rather than the vendor.
- Doist's trust center (trustcenter.doist.com) is a JavaScript-rendered single-page app; automated fetch tools could only retrieve the page shell ('Doist Trust Center' heading) and not the underlying certification/document list. A human reviewer with a browser should verify the full cert list and download the SOC 2 report and subprocessor list directly from the trust center before final publication.
- The HIPAA 'not pursued' statement is corroborated via search-indexed vendor help content but the specific help article could not be independently re-rendered (it redirected to the generic Help Center homepage on fetch); grading is additionally supported by the absence of any HIPAA mention on the directly-fetched security page.
- The DPA availability claim (pre-signed DPA offered by Doist) is consistently reported across multiple search results as sourced from Todoist's own help content, but could not be verified with a first-hand verbatim quote due to the same rendering issue noted above.
- AI-training posture is clearly and consistently stated as 'no training on customer data' across both the general privacy policy (doist.com/privacy) and the AI-specific product page (todoist.com/todoist-assist) - no contradiction found between legacy ToS language and current AI-page language.
// At a glance
Pricing model
Freemium: free Beginner tier, paid Pro (individual) and Business (per-seat team) subscription tiers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Doist Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trustcenter.doist.com