tawk.totawk.to
· Data Protection

Security first.

Millions of individuals and companies in more than 180 countries trust us with confidential information. Protecting that data has been our focus from day one.

· Last updated April 9, 2025· 4 min read

When it comes to data protection, tawk.to gives priority to the privacy and security of our customers' personal information. As the entity controlling the information and data of your customers, you remain the owner of that data — at no stage of collection, storage or retrieval does it belong to anyone except you or your company.

Our principles

tawk.to operates as a data processor on behalf of our clients. We process personal data based on the instructions of our clients, and we do not have control over or determine the purposes and means of the processing of that data.

Encryption

Chats and tickets are encrypted over SHA-256 SSL. Data is encrypted in transit and at rest. We continually review our security posture as part of our compliance program.

Data storage & retention

Chats and tickets stay on our servers indefinitely until deletion. The data is owned by the Admin of the site or tawk.to page. We do not examine chat histories for advertising purposes — storage exists solely to maintain product functionality.

Important caveats

  • Certain regions require mandatory record retention periods even after deletion.
  • If an account is compromised, sensitive data deleted from the account is retained in backups for 90 days.
  • Future updates will offer region-specific retention settings, with irreversible deletion options.

If your account is disabled, data is purged on a regular cycle once any mandatory retention periods in your jurisdiction have elapsed.

Access & controls

Access to customer data is limited to authorized tawk.to staff who need it to provide and support the service. We disclose information only to employees, contractors, and affiliated organizations that need to know that information in order to process it on tawk.to's behalf, and that have agreed not to disclose it to others.

tawk.to does not rent or sell potentially personally-identifying personal information to anyone.

Infrastructure

We leverage the security of trusted hosting partners — including Google Cloud, AWS, and Digital Ocean — which provide both physical and technological safeguards. Our full sub-processor list is published at tawk.to/data-protection/sub-processors/.

Compliance

EU-U.S. DPF
Self-certified under the EU-U.S. Data Privacy Framework.
UK Extension
Self-certified under the UK Extension to the EU-U.S. DPF.
Swiss-U.S. DPF
Self-certified under the Swiss-U.S. Data Privacy Framework.
ICO (UK)
Registered with the Information Commissioner's Office in the United Kingdom.
GDPR
Compliant with the EU General Data Protection Regulation.
Sub-processors
DPAs in place with all vendors. List published and updated.

Reporting a vulnerability

If you believe you have found a security issue affecting tawk.to, please contact security@tawk.to. We appreciate responsible disclosure and will acknowledge your report.

· Want to dig deeper?

Read ourdata protectiondocuments.

Privacy Policy, GDPR notes, sub-processor list, and Data Processing Addendum — all linked from one place.

Privacy PolicyGDPR notes
· Encrypted in transit & at rest· DPF certified· Customer-owned data