Security

How we protect customer data.

We sell to compliance professionals. Our own data handling has to meet the bar we ask our customers to enforce on their vendors.

Infrastructure

Thorgate runs on a managed VPS hosted in the United States, behind nginx with TLS 1.3 enforced for all connections. The application database (MariaDB) and document archive (separate MariaDB instance) are isolated with distinct credentials, accessible only from the application host on a private interface.

HTTP traffic is served only over HTTPS. The application enforces a Content Security Policy and standard security headers. Session cookies are HttpOnly, Secure, and SameSite=Lax.

What we collect

Account data: name, email, hashed password, account membership, billing identifiers (managed by Stripe). We don't collect or store credit card numbers — Stripe holds those.

Vendor tracking data: the URLs you choose to monitor and the resulting fetched content. Public document content from public URLs is the entirety of what our crawlers ingest.

Operational telemetry: server logs (access + error), failed-job logs, API consumption metrics. We don't run third-party analytics, advertising trackers, or session replay tools.

How long we keep it

Account data is retained for the life of the subscription plus 60 days after cancellation. Document version history is retained per your plan: 12 months on Starter, indefinite on Pro and Scale.

You can request export or deletion of your data at any time via support@thorgate.com.

Subprocessors we use

We use a small set of vendors to deliver the service. We track our own subprocessor list publicly — we'd ask the same of any vendor we evaluate.

  • Hosting and database: our managed VPS provider — application hosting, MariaDB, queue infrastructure.
  • Email delivery: Mailjet — transactional and digest email sending.
  • Document fetching: Jina Reader — fetches Cloudflare-protected pages our direct crawler can't reach. We send only public URLs; no customer data is shared.
  • AI summarization: Anthropic (Claude) — generates change summaries, severity classifications, and structured fact extraction. We send only public document content; no customer-account data is shared.
  • Payment processing: Stripe — subscription billing, payment processing, customer portal.

We update this list when we change subprocessors. If you'd like to be notified before we add a new one, email support@thorgate.com.

Compliance posture

Thorgate is in the process of pursuing SOC 2 Type II attestation. Target: complete the observation period within 12 months of public launch. We will publish progress here as we reach milestones.

We do not currently hold ISO 27001 or HIPAA certifications. We do not handle PHI; HIPAA is not in scope.

Incident response

If we detect or are notified of a security incident affecting customer data, we will notify affected customers as soon as practicable, in line with GDPR Article 33 (typically within 72 hours of confirmation). Notification will include: scope of impact, what was accessed or affected, remediation steps taken, and recommended customer-side actions.

To report a suspected vulnerability or incident: support@thorgate.com.

Data residency and transfers

Our infrastructure runs in the United States. If you're an EU/UK customer subject to GDPR, the transfer to the US is covered under our Data Processing Agreement (DPA), which incorporates the EU Standard Contractual Clauses. If you require EU-only data residency, get in touch — we're tracking demand for an EU region.

Authentication

Email + password auth at launch. Two-factor authentication and SAML/SSO are on the roadmap; SSO will likely be a Scale-tier feature when it ships.

Frequently asked

Security questions

Where is my data stored?
In our managed VPS instance in the United States. Account metadata in one MariaDB instance, document content in a separate one.
Do you train AI on customer data?
No. The data sent to Anthropic for summarization and extraction is public document content (privacy policies, terms, etc. — already published by the vendors themselves). Anthropic does not use API content for model training. We don't send any customer-account data, settings, or usage patterns to Anthropic.
Can I get a Data Processing Agreement (DPA)?
Yes. Our DPA is published at /legal/dpa and is incorporated automatically when you subscribe. If you need a counter-signed copy on letterhead, email support@thorgate.com.
Are you SOC 2 certified?
Not yet. We're targeting SOC 2 Type II attestation within 12 months of public launch. Progress is published on this page.
How do I delete my data?
Cancel your account from billing settings; data is purged after a 60-day grace period (during which you can recover the account). For an immediate deletion, email support@thorgate.com.
Do you have a public bug bounty?
Not yet — we're a small team. Responsible disclosure is welcome at support@thorgate.com; we aim to acknowledge promptly.