We take security seriously
Ensuring the safety and privacy of your data is baked into our everyday processes throughout our organization. We make regular data backups and test recovery, run penetration testing, encrypt all data, and many other cloud security techniques. Scroll down for information about specific security practices.
General practices
GDPR compliant
TheyDo has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU. Read our GDPR commitment.
Permissions
Global access roles allow admins to set permission levels for everyone in the workspace, and project-level access controls allow permission levels to be set for specific projects.
Secure passwords
Passwords are hashed (and salted) securely with a bcrypt encryption algorithm.
SSO via Auth0
Enterprise Admins can require users to authenticate to TheyDo in one click using their corporate email account via Single Sign-On. They’ll never need to set a password with us to log in to their account or to sign up, even if they’re creating a new account.
Account verification
Users are required to validate their accounts via a link provided in an automated e-mail. Our enterprise-grade authentication provider ensures malicious login attempts are blocked.
Permanent deletion
Users can delete projects and project data within TheyDo if they have the correct access rights. Data can be restored for up to 30 days before it is permanently deleted, and it can take up to 60 days for all data to be deleted from our backups.
High availability
We ensure high availability with automated and manual testing, statically typed languages, regular performance benchmarking, production logging and alerts, fast continuous deployments, and industry-standard cloud infrastructure.
Infrastructure
Secure Infrastructure
Our cloud provider is AWS. They ensure best-in-class firewall, intrusion and DMZ policies at platform level.
Hosting & Storage
TheyDo services and data are hosted in AWS facilities (Western European Region) in the EU. All data is encrypted at rest via AES-256 Encryption.
Encryption
Data is encrypted while moving between us and the browser with Transport Level Security (TLS). All SSL certificates are issued and managed through Google Cloud, and we enable HTTP Strict Transport Security (HSTS).
PCI DSS
Payment details are not stored on our servers. All payments made to TheyDo go through our partner, Stripe (they are PCI compliant).
Penetration testing
We perform independent third-party manual penetration testing on an annual basis.
Server patching
Our cloud platform is designed to protect customers from threats by applying security controls at every layer from physical to application, isolating customer applications and data, and with its ability to rapidly deploy security updates without service interruption.
Logging
We log all system activity and login behavior with a 30-day retention policy.
Vendors
Data subprocessors
We keep our list of subprocessors up to date. You can review our current subprocessors here.
Vendor selection
All of our vendors offer industry-leading products and go through an exhaustive security audit to ensure their practices fit our highest security and compliance standards.
Personnel
Logical access
An employee’s level of access is determined by the job position. Logical access reviews are performed periodically and access is immediately removed if no longer necessary.
Confidentiality
All employee and contractor agreements include a confidentiality clause.
Security Training
We run background checks and sign confidentiality agreements with all employees. We also train them in Information Security and Secure Development Practices.