Back to Home

Security Policy

Effective Date: October 1, 2025

1. Our Commitment to Security

At ThreadLock, security is a top priority. We understand that you're entrusting us with sensitive personal information, and we take that responsibility seriously. This policy outlines the security measures we've implemented to protect your data and our platform.

2. Authentication and Access Control

2.1 User Authentication

We use Firebase Authentication, which provides:

  • Secure password hashing using industry-standard algorithms
  • Multi-factor authentication (MFA) options
  • Protection against brute force attacks
  • Secure session management

2.2 Role-Based Access Control (RBAC)

Access to your data is controlled through role-based permissions. Only you (and any users you explicitly authorize) can access your account and data.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between your device and our servers is encrypted using:

  • TLS 1.2 or higher (Transport Layer Security)
  • Strong cipher suites
  • HTTPS for all web communications

3.2 Encryption at Rest

All data stored in our databases is encrypted at rest using:

  • AES-256 encryption
  • Managed encryption keys
  • Encrypted backups

4. Infrastructure Security

We leverage industry-leading cloud infrastructure providers:

  • Firebase/Google Cloud: For data storage and authentication
  • Vercel: For web hosting and edge network delivery

These providers maintain:

  • SOC 2 Type II certification
  • ISO 27001 certification
  • Regular third-party security audits
  • Physical security controls for data centers
  • Network security and DDoS protection

5. Application Security

5.1 Secure Development Practices

We follow secure coding practices, including:

  • Regular dependency updates
  • Automated security scanning
  • Code review processes
  • Input validation and sanitization
  • Protection against common vulnerabilities (OWASP Top 10)

5.2 Security Headers

We implement security headers to protect against common web vulnerabilities:

  • Content Security Policy (CSP)
  • X-Frame-Options
  • X-Content-Type-Options
  • Strict-Transport-Security (HSTS)
  • Referrer-Policy

6. Monitoring and Incident Response

We actively monitor our systems for security threats and anomalies:

  • Real-time logging and monitoring
  • Automated alerting for suspicious activity
  • Regular security audits and assessments
  • Incident response procedures

7. Data Backup and Recovery

We maintain regular backups of your data to protect against data loss:

  • Automated daily backups
  • Encrypted backup storage
  • Geographic redundancy
  • Tested disaster recovery procedures

8. Third-Party Security

We carefully vet third-party service providers and ensure they meet our security standards:

  • Due diligence reviews
  • Contractual security requirements
  • Regular security assessments
  • Data processing agreements (DPAs)

9. Employee Access and Training

We limit and control employee access to user data:

  • Principle of least privilege
  • Background checks for employees with data access
  • Regular security training
  • Confidentiality agreements
  • Access logging and auditing

10. Your Security Responsibilities

Security is a shared responsibility. You can help protect your account by:

  • Using a strong, unique password
  • Enabling multi-factor authentication
  • Keeping your login credentials confidential
  • Logging out when using shared devices
  • Reporting suspicious activity immediately
  • Keeping your email account secure

11. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us at:

Security Email: info@threadlock.ai

Please include:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact
  • Any suggested remediation

We commit to:

  • Acknowledging your report within 48 hours
  • Providing regular updates on our progress
  • Crediting you for responsible disclosure (if desired)
  • Not pursuing legal action against good-faith security researchers

12. Security Incident Notification

In the event of a security breach that affects your personal data, we will:

  • Notify affected users without undue delay
  • Provide information about the nature of the breach
  • Describe the steps we're taking to address the issue
  • Recommend actions you can take to protect yourself
  • Comply with all applicable data breach notification laws

13. Updates to This Policy

We may update this Security Policy from time to time to reflect changes in our practices or regulatory requirements. We will post any updates on this page with an updated "Effective Date."

14. Contact Information

If you have questions or concerns about security, please contact us at:

Email: info@threadlock.ai

15. Related Policies