Skip to content
Beta — Todoodah is free during beta. Your data may be reset before launch.

Security

We take the security of your data seriously. This page describes our approach to security and how to report vulnerabilities responsibly.

Our approach

Todoodah is designed with security in mind from the ground up. We use encrypted connections, hashed passwords, CSRF protection, rate limiting, and strict security headers. All data is stored in the EU on infrastructure provided by trusted European hosting providers.

For a detailed overview of our technical and organizational security measures, see our TOM document.

Responsible disclosure

If you've found a security vulnerability in Todoodah, we'd appreciate your help in disclosing it to us responsibly. We promise:

  • We will acknowledge your report within 5 business days
  • We will not take legal action against good-faith security research
  • We will keep you informed about our progress in resolving the issue
  • We will credit you (if you wish) once the vulnerability has been resolved

How to report

Send your findings to contact@todoodah.com. Please include:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact as you see it

Scope

The following are in scope for responsible disclosure:

  • app.todoodah.com — the Todoodah application
  • todoodah.com — this website

The following are out of scope:

  • Social engineering or phishing attacks
  • Denial of service (DoS/DDoS) attacks
  • Attacks requiring physical access to a user's device
  • Third-party services and infrastructure we don't control