Enterprise-Grade Data Protection
Trust Threads to keep your data secure and meet your compliance requirements
Protecting your data at every layer is a core function of our platform. Earning and keeping our community's trust is a top priority, and as such, we hold ourselves to the highest security and privacy standards and best practices.
SOC 2 Type II
Our SOC 2 Type 2 report attests to the controls we have in place governing the security and confidentiality of customer data as they map to Trust Service Principles (TSPs) established by the American Institute of Certified Public Accountants (AICPA). This certification means that Threads has the appropriate controls in place to mitigate risks related to security and confidentiality.
Threads complies with all applicable privacy law and regulations, and are committed to compliance with the General Data Protection Regulation (GDPR) legislation on storage and deletion of user data.
Threads complies with the California Consumer Privacy Act, a state statute intended to enhance privacy rights and consumer protection for residents of California, United States.
Please email firstname.lastname@example.org to request a copy of our CCPA Addendum.
Additional Security Features
Single-sign on support via SAML for Google, Okta, and OneLogin.
SCIM through Okta
System for Cross-Domain Identity Management through Okta for automative provisioning and de-provisioning of users.
Custom Session Timeouts
Threads allows those on the Enterprise plan to customize session timeout length to fit their security risk tolerance.
Control who can manage, view, and edit forums with granular permissions.
Ability to provide and revoke access to roles.
Fully featured eDiscovery workflows to search, place legal holds, and export content.
Ability to set global and forum based retention limits on content before it is permanently deleted.
We support TOTP codes (via Google Authenticator, Duo, 1Password) and Security Keys (via Yubikey, Google Titan) as second factors for authentication.
Organization-wide login requirements
Ability to set a minimum password length, require uncompromised passwords, and require 2FA.
Restrict user access to approved email domains.
- Web application and API are only accessible to end users over HTTPS.
- We have appropriate rate limits, alerting, and logging on all API calls.
- In our Software Development Lifecycle, all backend code must be reviewed and include extensive security and correctness tests.
- We have separate development, staging, and production environments. All code is tested before reaching production by our QA process.
- We are hosted entirely on AWS.
- We have daily backups of our production databases with replicas available for failover.
- We follow a least-privilege policy for access to secrets. Secrets are rotated.
- We have measures in place for intrusion detection and prevention. Our servers run IDS/IPS, malware detection, vulnerability detection, and application control software.
- We send detailed logs and audit trails from our infrastructure, admin tools, and management tools to a centralized logging environment. The logs and audit trails are monitored and alerted upon.
User Data and Privacy
- User data is encrypted in transit and at rest.
- All database credentials are stored securely and rotated regularly.
- Database user accounts have least-privileged access.
- All database queries are logged, monitored, and alerted upon for unusual activity.
- We do background checks on all employees.
- We use MDM to manage and enforce security policies on all laptops including authentication mechanisms.
- All employees go through ongoing security training.
- We maintain and enforce a number of security policies, including: Information Security Policy, Data Protection Policy, Change Management Policy, Account Management Policy Mobile Device Policy, Supplier Risk Management Policy, Threat Management Policy, Vulnerability Management Policy, and others.
Want to know more? Reach out to us at email@example.com.