Security & Privacy at Threads

Security & Privacy at Threads

Enterprise-Grade Data Protection

Trust Threads to keep your data secure and meet your compliance requirements


Protecting your data at every layer is a core function of our platform. Earning and keeping our community's trust is a top priority, and as such, we hold ourselves to the highest security and privacy standards and best practices.

Compliance Certifications

SOC 2 Type II

Our SOC 2 Type 2 report attests to the controls we have in place governing the security and confidentiality of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA). This certification means that Threads has the appropriate controls in place to mitigate risks related to security and confidentiality.


GDPR Compliant

Threads complies with all applicable privacy law and regulations, and are committed to compliance with the General Data Protection Regulation (GDPR) legislation on storage and deletion of user data.


You may find our GDPR Privacy Notice here and download our Data Processing Addendum here.


CCPA Compliance

Threads complies with the California Consumer Privacy Act, a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.


Please email to request a copy of our CCPA Addendum.


Additional Security Features

SAML-based SSO

Single-sign on support via SAML for Google, Okta, and OneLogin.

SCIM through Okta

System for Cross-Domain Identity Management through Okta for automative provisioning and de-provisioning of users.

Custom Session Timeouts

Threads allows those on the Enterprise plan to customize session timeout length to fit their security risk tolerance.

Access Control

Control who can manage, view, and edit forums with granular permissions.

Managed Users

Ability to provide and revoke access to roles.


Fully featured eDiscovery workflows to search, place legal holds, and export content.

Data Retention

Ability to set global and forum based retention limits on content before it is permanently deleted.

2FA support

We support TOTP codes (via Google Authenticator, Duo, 1Password) and Security Keys (via Yubikey, Google Titan) as second factors for authentication.

Organization-wide login requirements

Ability to set a minimum password length, require uncompromised passwords, and require 2FA.

Domain allowlisting

Restrict user access to approved email domains.

Application Security

  • Web application and API are only accessible to end users over HTTPS.
  • We have appropriate rate limits, alerting, and logging on all API calls.
  • In our Software Development Lifecycle, all backend code must be reviewed and include extensive security and correctness tests.
  • We have separate development, staging, and production environments. All code is tested before reaching production by our QA process.


  • We are hosted entirely on AWS.
  • We have daily backups of our production databases with replicas available for failover.
  • We follow a least-privilege policy for access to secrets. Secrets are rotated.
  • We have measures in place for intrusion detection and prevention. Our servers run IDS/IPS, malware detection, vulnerability detection, and application control software.
  • We send detailed logs and audit trails from our infrastructure, admin tools, and management tools to a centralized logging environment. The logs and audit trails are monitored and alerted upon.

User Data and Privacy

  • User data is encrypted in transit and at rest.
  • All database credentials are stored securely and rotated regularly.
  • Database user accounts have least-privileged access.
  • All database queries are logged, monitored, and alerted upon for unusual activity.

Corporate Security

  • We do background checks on all employees.
  • We use MDM to manage and enforce security policies on all laptops including authentication mechanisms.
  • All employees go through ongoing security training.
  • We maintain and enforce a number of security policies, including: Information Security Policy, Data Protection Policy, Change Management Policy, Account Management Policy Mobile Device Policy, Supplier Risk Management Policy, Threat Management Policy, Vulnerability Management Policy, and others.


Want to know more? Reach out to us at