Back to Throughline

Security & Data Protection

What we mean when we say your data is safe.

This is the full technical explanation. Not a marketing summary — the actual architecture. Every claim here is pulled directly from the Throughline codebase.

Authentication & Access Control

  • Supabase Auth with encrypted, cookie-based sessions — no tokens stored in localStorage

  • Every protected route verified server-side before any page or data loads

  • Role-based access: User, Company Admin, Super Admin — each with distinct permissions

  • Admin areas double-gated: middleware check plus server-side role verification

Row-Level Security — Database Isolation

  • Every table in the database enforces Row-Level Security at the PostgreSQL level

  • Users can only read, create, update, or delete their own data — enforced by the database engine itself, not application code

  • Company admins can only see their own organisation's team data — no cross-tenant access is possible

  • Audit logs are scoped: admins see company activity, users see only their own

AI Safety & Guardrails

  • All AI requests are rate-limited: 6 per minute, 60 per day per user

  • Input size validation: maximum 12,000 characters per request

  • Content filtering blocks prompt injection and jailbreak attempts

  • Every AI request is logged with user ID, endpoint, input size, and timestamp

Audit Trail

  • Full audit logging across 16+ action types: story creation, AI usage, admin changes, login/logout

  • Each log captures: actor, action, target, IP address, user agent, and timestamp

  • Audit logs are tamper-resistant — insert-only from client side, no delete or update policies

Data Retention & Compliance

  • Admin-configurable data retention policies per organisation

  • Automated purge capability for stories and logs beyond retention window

  • Feature flags allow granular control over functionality per company

Infrastructure

  • Hosted on Vercel (SOC 2 Type II compliant)

  • Database on Supabase (SOC 2 Type II, ISO 27001 certified, built on AWS)

  • All data encrypted in transit (TLS 1.2+) and at rest (AES-256)

  • No sensitive API keys exposed to the browser — server-side only

  • Service role credentials exist but are never invoked in application code — all access goes through the restricted anon key with RLS enforcement

Trial & Licensing

  • 7-day free trial with automatic expiry gating

  • Expired trials blocked at middleware, server actions, and AI endpoints — triple enforcement

  • Smart notifications at day 1, midpoint, and final 24 hours

Infrastructure Compliance

Vercel — SOC 2 Type IISupabase — SOC 2 Type IISupabase — ISO 27001TLS 1.2+ in transitAES-256 at rest
Back to Throughline