For Admins: Review data storage and compliance in Microsoft To Do
Here are answers to some frequently asked questions regarding data storage and the overall compliance of Microsoft To Do:
How and where is Microsoft To Do data stored?
Since To Do is using Exchange Online for data storage and synchronization, customers benefit from the reliability, security and compliance they've come to expect from Office 365. Your To Do tasks are stored as tasks in your Exchange Online mailbox, which also hosts data from other Exchange modules such as mails, events, contacts and/or notes.
Exchange Online has thousands of servers across the globe, and they are widely distributed to ensure users experience not only the best performance, but also confidence that their data isn't leaving their region. Exchange also takes legal requirements into account when routing traffic and storing data. European data, for example, will not be stored outside the EU region by default, in order to comply with standards such as the EU Model Clauses. To learn more about where your Office 365 data resides, please visit the Data Center Map.
Data is encrypted at rest on Exchange servers and in transit to and from the To Do app on your browser or device. Depending on your configuration, your device itself might also have additional encryption locally or remote wipe capabilities to supplement this.
Is Microsoft To Do compliant?
All data transmission, processing and storage happens via Exchange Online. As such, customer content and other data input into To Do can be considered as safe as similar data input by customers into apps such as Outlook, which also uses Exchange as its backend.
Since the To Do web app hosted on https://todo.microsoft.com is considered a service from a compliance perspective, it is developed according to industry compliance standards and has passed external audits, such as the SOC 2 (Service Organization Controls) Type 1 Audit.
Though Microsoft To Do is not explicitly mentioned in the Online Service Terms or HIPAA Business Associate Agreements agreed to between Microsoft and Office 365 customers, these additions are in progress. In the meantime, it is important to keep in mind that the underlying service (Exchange Online) is represented in both documents and is the sole backend for To Do.