Security

How Threadline protects your data and your users' context.

Encryption

All data is encrypted at rest (AES-256 via Supabase/Postgres) and in transit (TLS 1.3). Cached context in Redis uses encrypted connections.

OAuth-style grants

Users approve what each agent can see. Scoped access means agents only read the context fields they've been granted — nothing more.

Hard delete

Users can permanently erase their context at any time from the trust dashboard. Data is removed from Postgres and cache within seconds.

Full audit trail

Every read and write is logged with agent ID, action type, and timestamp. Developers can review access patterns via the API.

Data retention

Context is stored indefinitely until explicitly deleted by the user or developer. No hidden retention windows, no shadow copies.

Infrastructure

Hosted on Supabase (Postgres) with Redis caching. SOC 2-compliant hosting providers. No data leaves the infrastructure without encryption.

SOC 2 Roadmap

We're actively working toward SOC 2 Type II certification. Our infrastructure already meets most controls — encryption at rest, TLS in transit, audit logging, and access scoping. We expect to complete the audit in 2026.

Responsible Disclosure

If you believe you've found a vulnerability, please report it privately.

Email support@threadline.to with details and reproduction steps.

We aim to acknowledge reports within 48 hours.

There is currently no bug bounty program. We will acknowledge valid reports and work to remediate issues quickly.