Skip to content
Beta — Todoodah is free during beta. Your data may be reset before launch.

Technical and Organizational Measures

Last updated: March 2026

This document describes the technical and organizational measures ("TOM") implemented by Ofnof to protect personal data processed through the Todoodah service, in accordance with Article 32 of the GDPR.

Encryption

In Transit

All communication between clients and servers is encrypted using TLS. Plain HTTP connections are redirected to HTTPS. API endpoints are only accessible over encrypted connections.

At Rest

Database storage is encrypted at the filesystem level by the hosting provider (Scaleway). Backups are stored encrypted.

Authentication and Access Control

  • User passwords are stored using cryptographic hashing (bcrypt). Plain-text passwords are never stored or logged.
  • Sessions are managed via short-lived JWT access tokens and httpOnly, Secure refresh cookies.
  • Access to production infrastructure is restricted to authorized personnel and secured with SSH key authentication.
  • Database access is restricted to the application server via network-level firewall rules. No public database access is permitted.

Application Security

  • CSRF protection: Origin header validation is enforced on all mutating requests.
  • Rate limiting: Applied to authentication endpoints and other public-facing routes to mitigate brute-force and abuse.
  • Security headers: Responses include X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers.
  • Input validation: All user input is validated and sanitized on the server side.
  • Dependency management: Dependencies are regularly reviewed and updated to address known vulnerabilities.

Data Minimization

Only data strictly necessary to provide the Service is collected. The Service does not collect names, phone numbers, addresses, or payment information. Analytics are cookieless and privacy-friendly (Rybbit, self-hosted), collecting only anonymous, aggregate statistics.

Infrastructure

  • Application servers are hosted by Hetzner Online GmbH in Germany.
  • The PostgreSQL database is hosted by Scaleway SAS in France.
  • Email is hosted by Migadu GmbH in Switzerland.
  • All infrastructure is located within the EU or Switzerland (adequate protection under GDPR).
  • Servers are maintained with regular security updates.

Backup and Recovery

Database backups are performed daily and stored encrypted. Backups are retained for 7 days and automatically deleted after that. Backups are tested periodically to ensure data can be restored in case of failure.

Incident Response

In the event of a personal data breach, the Processor will notify affected Controllers without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with the Data Processing Agreement.

Organizational Measures

  • Access to personal data is limited to personnel who require it to operate and maintain the Service.
  • All personnel with access to personal data are bound by confidentiality obligations.
  • This document is reviewed and updated when significant changes are made to the Service's infrastructure or security measures.

Data Deletion

Upon account deletion by the user, all associated personal data (account data, content, preferences) is permanently removed from the production database. Data in backups is automatically purged within 7 days.