Thalian connects to your most sensitive systems. We treat that access as a privilege, not a feature. Here's exactly how we protect your data.
Enterprise-grade encryption at every layer. No exceptions.
All connections use TLS 1.3. API calls, webhook deliveries, OAuth flows, and browser sessions are encrypted end-to-end.
All data stored with AES-256 encryption. Integration credentials are additionally encrypted with AES-256-GCM before storage.
Application hosted on Cloudflare Pages with global edge distribution. DDoS protection, WAF, and bot management included by default.
Each workspace's data is isolated with Row Level Security policies enforced at the database layer and workspace-scoped queries enforced at the application layer, preventing cross-tenant data access.
Thalian only requests the minimum permissions needed, and you control every connection.
Each integration connects with the narrowest OAuth scopes or API permissions required. Read-only by default. Write access only when you explicitly enable actions.
Revoke any integration connection at any time. Credentials are deleted immediately and associated data is purged within 30 days.
Access to production systems requires MFA and is limited to authorized personnel. All access is logged.
All OAuth flows use HMAC-SHA256 signed state parameters to prevent CSRF and state tampering attacks.
Your organization's data is never used to train models. Period.
Thalian uses Anthropic's Claude API for intelligence analysis. Your data is sent via API for real-time processing only and is never used to train, fine-tune, or improve any AI model.
Data sent to Anthropic is processed in real-time for AI inference. Anthropic may retain API inputs and outputs for up to 30 days for trust and safety review. This data is not used to train, fine-tune, or improve any AI model.
All security-relevant actions (human or AI-initiated) are logged immutably with who approved it, what changed, and which platforms were affected.
Where we are today and where we're headed.
| Standard | Status | Detail |
|---|---|---|
| SOC 2 Type II practices | In progress | Controls aligned to SOC 2 trust service criteria; formal audit planned for 2026 |
| SOC 2 Type II audit | Roadmap | Formal audit planned for 2026 |
| ISO 27001 practices | In progress | Controls aligned to ISO 27001 information security requirements; formal certification planned for 2026 |
| ISO 27001 certification | Roadmap | Formal certification planned for 2026 |
| TLS 1.3 | Enforced | All connections, no fallback to older versions |
| AES-256 encryption at rest | Enforced | Database and credential storage |
| AES-256-GCM credential encryption | Enforced | Additional layer for integration secrets |
| Row-level security | Enforced | All tables enforce workspace-scoped RLS policies |
| HMAC-SHA256 OAuth state | Enforced | Prevents CSRF and state tampering |
| Stripe webhook signature verification | Enforced | Rejects unsigned or tampered payment events |
| GDPR data rights | Supported | Export and deletion on request |
A complete list of sub-processors that handle your data.
All customer data is stored and processed within the United States.
All customer data (including identity records, device inventories, security findings, and integration credentials) is stored in AWS us-east-1 via Supabase. Customer data is not cached or stored at edge locations; request traffic transits Cloudflare's global edge network for delivery and DDoS protection only.
Cloudflare's global edge network is used for application delivery and DDoS protection only. Customer data is not cached or stored at edge locations.
Data is retained as long as your account is active and the integration is connected. Sync data refreshes automatically every 6 hours.
When you disconnect an integration, credentials are deleted immediately. Associated identity, application, device, and entitlement records are purged within 30 days.
When you delete your account, all workspace data (identities, applications, devices, findings, AI messages, sync logs, and audit records) is permanently deleted within 30 days.
How we detect, respond to, and communicate security events.
We monitor for security events continuously. When an incident is identified, our team follows a structured response process: contain, investigate, remediate, and review.
Affected customers are notified within 72 hours of confirming a security incident that impacts their data, in accordance with GDPR and industry best practices.
Every incident undergoes a root cause analysis. Findings are documented and controls are updated to prevent recurrence.
Proactive validation of our security controls.
Third-party penetration testing is on our roadmap alongside our SOC 2 Type II audit in 2026. Internal security reviews are conducted regularly.
Database backups are performed automatically by Supabase with point-in-time recovery capabilities. Backups are encrypted and stored within the same US region. Recovery procedures are tested periodically.
We welcome reports from security researchers.
If you discover a security vulnerability in Thalian, please report it responsibly to security@thalian.ai. Include a description of the vulnerability, steps to reproduce, and any supporting evidence.
We will acknowledge your report within 48 hours, keep you informed of our progress, and will not take legal action against researchers who follow responsible disclosure practices.
We're happy to discuss our security practices, provide additional documentation, or walk through our controls with your security team.
Contact security@thalian.ai