Security

Last updated: May 13, 2026

Transport security

HTTPS everywhere, with HSTS enabled (15-million-second max-age). Strict CSP on the authenticated app. Modern TLS only.

Authentication

• Passwords hashed with bcrypt (PHP password_hash default)
• Optional TOTP-based two-factor authentication (any standard authenticator app)
• Sessions stored server-side in the database, never in JWTs
• Session lifetime: 8h idle / 30d absolute
• CSRF tokens on every state-changing form, auto-injected into the page

Authorization

• Workspace-scoped: every API query filtered by your active workspace
• Role gating (owner / admin / member) on sensitive actions
• Magic links: single-use, expirable tokens scoped to one participant on one project

Data at rest

Database storage is encrypted at the volume level by our hosting provider. Attachments live in a web-blocked directory; downloads are gated through an authorization-checked PHP handler — no direct filesystem URLs.

Webhooks

• Outbound: optional HMAC-SHA256 signing per webhook URL
• Inbound: optional shared-secret header check + per-token rate limiting
• Idempotency keys on every outbound delivery

Inbound email + SMS

• SMS: Twilio signature verification on every inbound
• Email: IMAP poller authenticates against your configured mailbox
• Routing keyed on workspace + project, never on user-controlled identifiers

Audit logging

Every workspace-mutating action writes to an audit log: who, what, when. Available to workspace owners on request.

Responsible disclosure

Found a vulnerability? Email support@thredlink.com with the subject line Security report. We'll acknowledge within 2 business days and fix high-severity issues before public disclosure. We're a small team — please don't run automated scans against production. We'll happily provide a staging environment if you ask.

What we don't yet have (and what we're working toward)

• SOC 2 — planned, not yet certified
• Customer-managed encryption keys — on the roadmap for Enterprise
• Single sign-on (SAML / OIDC) — on the roadmap for Enterprise

Need any of these before signing? Talk to us.