We take security seriously.
Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We take regular data backups and test recovery, run penetration testing, encrypt all data and many other cloud security techniques. Scroll down for information about specific security practices.
TheyDo has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU. Read our GDPR commitment.
Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allows permission levels to be set for specific projects.
Passwords are hashed (and salted) securely with a bcrypt encryption algorithm.
SSO via Auth0
Enterprise Admins can require users to authenticate to TheyDo in one click using their corporate email account via Single Sign-On. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.
Users are required to validate their accounts via a link provided in an automated e-mail. Our enterprise-grade authentication provider ensures malicious login attempts are blocked.
Users can delete projects and project data within TheyDo if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.
We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.
Our cloud providers are Heroku and AWS. They ensure best-in-class firewall, intrusion and DMZ policies at platform level.
Hosting & Storage
TheyDo services and data are hosted in AWS facilities (Western European Region) in the EU. All data is encrypted at rest via AES-256 Encryption.
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through Google Cloud, and we enable HTTP Strict Transport Security (HSTS).
Payment details are not stored on our servers. All payments made to TheyDo go through our partner, Stripe (they are PCI compliant)
We perform independent third-party manual penetration testing on an annual basis.
Our cloud platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without service interruption.
We log all system activity and login behaviour with a 30-day retention policy.
We keep our list of subprocessors up to date. You can review our current subprocessors here.
All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.
Employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.
All employee and contractor agreements include a confidentiality clause.
We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.