We understand the need for secure data storage and compliance. You can find details about data storage and the overall compliance of Microsoft To Do here.
Since Microsoft To Do uses Exchange Online for data storage and synchronization, customers benefit from the reliability, security and compliance they've come to expect from Exchange. When you use Microsoft To Do , your to-dos are stored as tasks in your Exchange Online mailbox, which also hosts data from other Exchange modules such as mails, events, contacts and/or notes.
Exchange Online has thousands of servers across the globe, and they are widely distributed to ensure users experience not only the best performance, but also confidence that their data isn't leaving their region. Exchange also takes legal requirements into account when routing traffic. European data, for example, will not leave the EU region by default, in order to comply with standards such as the EU Model Clauses. To learn more about where your Microsoft 365 data resides, please visit the Data Center Map.
Data is encrypted at rest on Exchange servers and in transit to and from the To-Do app on your
browser or device. Depending on your configuration, your device itself might also have additional encryption locally or remote wipe capabilities to supplement this.
All data transmission, processing and storage happens in Exchange Online. As such, customer
content and other data input into Microsoft To Do can be considered as secure as similar data input by customers into apps such as Outlook, which also uses Exchange as its backend.
Since the Microsoft To Do web app hosted on https://to-do.microsoft.com is considered a service from a compliance perspective, it is developed according to industry compliance standards and has thus been through audits, such as the SOC 2 (Service Organization Controls) Type 1 Audit.
Though Microsoft To Do is not explicitly mentioned in the Online Service Terms or HIPAA Business Associate Agreements agreed to between Microsoft and Microsoft 365 customers, these additions are in progress. In the meantime, it is important to keep in mind that the underlying service (Exchange Online) is represented in both documents and is the sole backend for Microsoft To Do.