Security at TODOforAI
TODOforAI logs into the services your company already uses and gets your todos done. That only works if you can trust us with access — so security is the core of the product, not an afterthought. Here is how we protect your data, your credentials, and your accounts.
EU Infrastructure
- Customer data is hosted in the EU (Hetzner, Finland/Germany), operated by an EU company (TODO for AI Kft., Budapest, Hungary).
- Cloudflare provides network security, DDoS protection, and TLS termination at the edge.
- Backups are encrypted and stored within the EU.
Credentials Never Leave the Vault
To act inside your services, the agent needs access — and credential handling is where we are strictest:
- Third-party service credentials are stored in a dedicated secrets vault (HashiCorp Vault–compatible), encrypted at rest, never in plaintext, never in logs or prompts.
- Credentials are injected into the execution environment only for the duration of a task.
- You can revoke access to any connected service at any time.
Isolated Execution
- Agent workloads and browser automation run in isolated sandboxes (Firecracker microVMs) — the same isolation technology behind AWS Lambda. One customer's tasks can never touch another's.
- Sandboxes are ephemeral: torn down after execution, leaving no residual state.
Encryption Everywhere
- TLS 1.2+ for all external connections.
- Agent/edge communication uses the Noise Protocol Framework for end-to-end encrypted transport.
- Data encrypted at rest, including backups.
Human-in-the-Loop by Design
The agent never auto-runs irreversible or money-touching actions. Charging, cancelling, or changing billing is always prepared by the AI and approved by a human with one click. Low-risk work runs autonomously; the big calls stay yours.
Audit Logs
Every tool call the agent makes is logged — what was done, when, and in which service — so you can always answer "what did the AI actually do?"
Your Data Is Not Training Data
- We don't train AI models on your business data.
- AI providers (Anthropic, OpenAI, Google) are used via their API terms, under which your data is not used to train their models.
- We process only what a todo needs — data minimisation by default.
GDPR & Compliance
- Full GDPR compliance as an EU company — see GDPR & Data Processing for roles and our sub-processor list.
- Data Processing Agreement (DPA) available for signature — covers breach notification within 48 hours, data deletion, and audit rights.
- Data transfers outside the EU are protected by the EU–US Data Privacy Framework or Standard Contractual Clauses.
- We support enterprise security reviews and vendor questionnaires — contact us and we'll work through yours.
Open Source
Our edge agent and CLI are open source — you can inspect exactly what runs on your machines.
Reporting a Vulnerability
Found a security issue? Email security@todofor.ai. We respond promptly and appreciate responsible disclosure.
For security reviews, DPAs, or any other questions: privacy@todofor.ai