Skip to content
ThreadSync
Request Demo
Security

Security Built for the AI Era

Governed Access. Governed Execution. Enterprise Trust.

ThreadSync secures both AI access and AI execution with enterprise-grade controls, audit trails, and defined boundaries at every layer.

SHA-256
Key Hashing
Default-Deny
Permission Model
AES-256
Encryption at Rest
TLS 1.3
Encryption in Transit
SOC 2 Aligned
PKCE Browser Sessions
Sandboxed Execution
Audit-Grade Logs
Governed AI Access

LLM Gateway Security

Every model request passes through policy enforcement, rate controls, and audit logging before reaching a provider. No raw credentials leave your perimeter.

Governed Model Access Controls

Policy enforcement at the API boundary
  • Org-scoped API keys with provider and model allowlists
  • Per-key team assignment with granular permissions
  • SHA-256 key hashing — no raw key persistence
  • Error sanitization preventing credential leakage in responses

Rate Limiting & Budget Controls

Prevent runaway spend and abuse
  • Atomic slot reservation for concurrent request limits
  • Hourly sliding-window rate enforcement per key
  • Daily and monthly budget caps per key and per team
  • Per-request cost tracking with real-time spend visibility

Browser-Safe PKCE Sessions

Secure client-side authentication
  • PKCE flow with signed proof-of-possession tokens
  • No long-lived secrets exposed to browser contexts
  • Session-scoped access with automatic expiry
  • Origin-bound token validation prevents replay attacks

Audit Logging

Complete request-level observability
  • Every request logged: key, model, provider, tokens, cost
  • Structured JSON audit records for SIEM ingestion
  • Error events captured without leaking sensitive payloads
  • Immutable log storage with configurable retention
Governed Execution

Magic Runtime Security

AI-generated code executes inside sandboxed environments with capability-based permissions, contract enforcement, and hash-chained audit logs.

Sandboxed Execution Environments

Process-level isolation by default
  • Process isolation via cgroups and seccomp profiles
  • Read-only root filesystems with scoped writable layers
  • Network egress restricted to declared endpoints
  • Resource limits (CPU, memory, wall-clock) per execution

Capability-Based Permissions

Default-deny with explicit grants
  • Default-deny permission model — nothing runs without a grant
  • Declared inputs, outputs, and permissions per contract
  • Fine-grained capabilities: filesystem, network, secrets access
  • Permission escalation requires explicit operator approval

Contract Enforcement

Declared behavior, enforced at runtime
  • Every execution declares expected inputs, outputs, and side effects
  • Runtime validates contract compliance before and after execution
  • Deterministic errors via structured error catalog — no opaque failures
  • Contract violations terminate execution and trigger alerts

Immutable Audit Logs

Hash-chained, tamper-evident records
  • SHA-256 hash-chained log entries — tamper-evident by design
  • Full execution trace: inputs, outputs, permissions used, duration
  • Exportable to compliance and SIEM systems
  • Retention policies configurable per organization
Platform

Platform Security

The infrastructure beneath LLM Gateway and Magic Runtime is hardened at every layer.

Encryption

Data protection at rest and in transit
  • AES-256-GCM encryption at rest for all stored data
  • TLS 1.3 enforced for all data in transit
  • Customer-managed keys (BYOK) available on Enterprise plans
  • Automatic key rotation on configurable schedules

Identity & Access

Zero-trust identity controls
  • SAML 2.0 and OIDC single sign-on
  • Role-based access control (RBAC) with least-privilege defaults
  • Multi-factor authentication enforced for all accounts
  • IP allowlisting and session timeout policies

Network & Infrastructure

Container-hardened architecture
  • Container hardening with read-only filesystems
  • Private networking with strict ingress/egress rules
  • Immutable infrastructure deployments — no SSH to production
  • Automated vulnerability scanning on every build

Monitoring & Observability

Continuous visibility via Wallace
  • 24/7 monitoring with anomaly detection and alerting
  • Wallace observability integration for correlated telemetry
  • Distributed tracing across Gateway, Runtime, and infrastructure
  • Incident response with defined severity levels and escalation
Architecture

Defense in Depth

Multiple security layers ensure no single point of failure from edge to execution.

Edge Protection
WAF, DDoS mitigation, TLS termination
API Policy Layer
Key validation, allowlists, rate limiting, budget enforcement
Execution Sandbox
cgroups, seccomp, capability grants, contract enforcement
Data Layer
AES-256 encrypted storage, key rotation, RBAC
Audit Layer
Hash-chained logs, SIEM integration, Wallace observability
Compliance

Compliance & Trust

ThreadSync maintains security controls aligned with industry standards and provides transparency into our security posture.

SOC 2 Aligned Controls

Continuous compliance monitoring
  • Controls mapped to SOC 2 Type II Trust Service Criteria
  • Annual third-party penetration testing
  • Pre-filled CAIQ, SIG Lite, and custom security questionnaires
  • Data residency options (US/EU)

Transparency

Open documentation of our practices
FAQ

Security FAQ

Common questions from security and compliance teams.

API keys are SHA-256 hashed at creation and never stored in plaintext. Provider credentials are injected server-side and never exposed to client requests. Error responses are sanitized to strip any credential fragments, connection strings, or internal identifiers before reaching the caller.
Every execution runs inside a sandboxed environment with cgroups for resource limits and seccomp for syscall filtering. The filesystem is read-only by default with scoped writable layers. Network egress is restricted to endpoints declared in the execution contract. Capability-based permissions follow a default-deny model — nothing runs without an explicit grant.
Magic Runtime audit logs are SHA-256 hash-chained, making any modification to a prior entry detectable. LLM Gateway audit logs capture every request with key, model, provider, token count, and cost. Both log streams support export to external SIEM systems and have configurable retention policies per organization.
ThreadSync maintains security controls aligned with SOC 2 Type II Trust Service Criteria. Our infrastructure providers hold SOC 2 certifications. Our security package, including detailed control mappings and penetration test summaries, is available under NDA for qualified prospects. Contact security@threadsync.io to request.
Yes. We provide pre-filled responses to CAIQ, SIG Lite, and custom security questionnaires. Our security package includes architecture diagrams, control documentation, and penetration test summaries. Contact security@threadsync.io to request.

Ready to Evaluate Our Security Posture?

Get our comprehensive security package, schedule an architecture review, or explore our Trust Center for live documentation.

Request Security Package Request Architecture Review Visit Trust Center

Security package available under NDA for qualified enterprise prospects