Security & Trust

ThothOS is multi-tenant B2B software, so our #1 priority is tenant isolation— your company’s data is never visible to another company. Here is what we actually do today.

Tenant isolation

• One identity chokepoint. Every request passes through a single middleware that is the only place allowed to assert who you are; an identity-forgery vector was found and closed.
• Per-tenant scoping at the data layer.Every data resolver is confined to the caller’s own company; a user in one company cannot reach another’s data even with a forged request.
• Verified continuously: a role-matrix suite runs 312 checks across every dashboard route × role with 0 failures, plus a cross-tenant isolation gate on deploy.
• The build fails if isolation regresses — static guards block any change that would open a cross-tenant hole.

Data protection

• Encryption in transit (HTTPS/TLS).
• Encryption at rest for personal identity data (email, phone, address) with searchable blind indexes.
• Field encryption uses versioned keys, so keys can be rotated without re-exposing or losing data.
• Sessions validated server-side; tokens stored only as SHA-256 hashes.
• Tamper-evident, hash-chained audit logging with long-term archival.

Compliance

[IN PROGRESS] SOC 2 readiness (controls implemented; formal attestation pending) and a signable DPA. We do not claim certifications we do not yet hold.

Report a vulnerability

Email [NEEDS MATTHEW: security@ inbox]. We’ll acknowledge and respond promptly.

See our Privacy Policy, DPA, and Sub-processor list.