THIG
Security

Security at THIG

Your product ideas are valuable. We protect them with encryption, isolation, and enterprise-grade access controls.

Core security principles

Encryption Everywhere

All data is encrypted in transit using TLS 1.3 and at rest in our database. API keys and sensitive credentials are encrypted with AES-256-GCM using unique initialization vectors.

Multi-Tenant Isolation

Every database query is scoped by organization. Row Level Security (RLS) policies in PostgreSQL ensure your data is invisible to other tenants — even at the database layer.

Access Control

Three-tier role system: global roles, organization roles, and feature-level permissions. Every API endpoint enforces authorization before touching data.

No AI Training on Your Data

Your conversations and documents are never used to train AI models. Data is sent to OpenAI or Anthropic only for real-time response generation, covered by their data processing agreements.

Infrastructure Security

Hosted on modern cloud infrastructure with automated backups, DDoS protection, and network isolation. Database managed by Supabase with enterprise-grade PostgreSQL.

Data Ownership

Your data belongs to you. Export everything at any time. Delete projects, documents, or your entire account. We don't hold your data hostage.

Security practices

Specific measures we implement to keep your data safe.

  • Rate limiting on all endpoints to prevent abuse
  • Account lockout after failed login attempts
  • CSRF protection via same-origin cookie policies
  • Content Security Policy (CSP) headers to prevent XSS
  • CORS policy restricting API access to authorized origins
  • Input validation with Zod schemas on every API route
  • Structured logging and error monitoring with Sentry
  • Secure session management via NextAuth with encrypted JWTs
  • Environment variable validation at startup — missing critical variables halt the application
  • Webhook signature verification for payment events

Compliance & certifications

In Progress

SOC 2 Type II

We are actively working toward SOC 2 Type II compliance. Our security controls are being documented and audited in preparation for certification.

Implemented

GDPR Compliance

Data processing agreements, right to erasure, data export, and consent management are built into the platform.

Enterprise Plan

SSO & SAML

Enterprise SSO with SAML 2.0 integration for seamless team onboarding and centralized identity management.

Have security questions?

We're happy to discuss our security practices in detail.

Contact Security TeamGet Started Free