We take security seriously

Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We make regular data backups and test recovery, run penetration testing, encrypt all data, and many other cloud security techniques. Scroll down for information about specific security practices.


General practices

GDPR compliant

TheyDo has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU. Read our GDPR commitment.



Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allow permission levels to be set for specific projects.

Secure passwords

Passwords are hashed (and salted) securely with a bcrypt encryption algorithm.

SSO via Auth0

Enterprise Admins can require users to authenticate to TheyDo in one click using their corporate email account via Single Sign-On. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.

Account verification

Users are required to validate their accounts via a link provided in an automated e-mail. Our enterprise-grade authentication provider ensures malicious login attempts are blocked.

Permanent deletion

Users can delete projects and project data within TheyDo if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups. 

High availability

We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.


Secure Infrastructure

Our cloud provider is AWS. They ensure best-in-class firewall, intrusion and DMZ policies at platform level.

Hosting & Storage

TheyDo services and data are hosted in AWS facilities (Western European Region) in the EU. All data is encrypted at rest via AES-256 Encryption.


Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through Google Cloud, and we enable HTTP Strict Transport Security (HSTS).


Payment details are not stored on our servers. All payments made to TheyDo go through our partner, Stripe (they are PCI compliant).

Penetration testing

We perform independent third-party manual penetration testing on an annual basis.

Server patching

Our cloud platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without service interruption.


We log all system activity and login behavior with a 30-day retention policy.


Data subprocessors

We keep our list of subprocessors up to date. You can review our current subprocessors here.

Vendor selection

All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.


Logical access

An employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.


All employee and contractor agreements include a confidentiality clause.

Security Training

We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.