Compliance & Security
Security controls, privacy, exchange partner disclosures, and due diligence information.
Compliance & Security Overview
Thrive DeFi, LLC operates Thrive as a market intelligence and journaling platform. We are not a broker, exchange, custodian, or investment adviser. This page summarizes our security posture and regulatory disclosures for due diligence.
Not financial advice
Security Controls
| Exchange API keys | Encrypted at rest. Read-only permissions enforced in UI copy and onboarding. No withdrawal scopes requested. |
| Authentication | Industry-standard sessions. MFA available. Session management via secure tokens. |
| Transport | HTTPS everywhere. HSTS in production. |
| Rate limiting | Redis-backed rate limits on all sensitive API routes. |
| Webhook verification | Payment and identity webhooks signature-verified. |
| Error monitoring | Production error tracking (metadata only — no journal bodies or API keys). |
| AI providers | Third-party AI inference — user data not used to train public models (see Privacy Policy §7). |
| Secrets | Environment variables only — never committed to source control. |
Data & Privacy
We collect account email, usage analytics, trade journal data you provide, and encrypted exchange credentials. We do not sell personal data. See our Privacy Policy.
| GDPR / UK GDPR / CCPA | Cookie consent on thrive.fi. Self-serve data export and account deletion in Settings. Requests: privacy@thrive.fi. |
| Data residency | US/EU regions per infrastructure configuration. |
| AI processing | User trade data for AI features is isolated per user — not used to train public models. See Privacy Policy §7. |
| Subprocessors | High-level categories published in Trust Center. Full vendor list available under enterprise DPA. |
Exchange Partner Disclosures
Thrive may display referral links to third-party exchanges. If you open an account through these links, Thrive may receive a referral fee from the exchange. You trade directly on the exchange — Thrive does not hold customer funds or execute orders. Outbound clicks are logged for aggregate reporting (partner, placement, timestamp) — not for order routing.
Certifications Roadmap
SOC 2 Type I assessment is on our acquisition-readiness roadmap. Current controls align with SOC 2 Trust Service Criteria for Security and Confidentiality. Enterprise buyers may request our security questionnaire via cs@thrive.fi.
Due Diligence Package
Our public Trust Center includes processor categories, retention schedule, security controls, incident response, and regulatory position. Under NDA, acquirers may also request:
- Revenue / subscriber export
- Verified exchange-sync volume attestation from admin analytics
- Full vendor register and data licensing summary
- IP assignment documentation for Thrive signals and workbench
- SOC 2 readiness summary and security questionnaire (SIG Lite)
Trust Center: Subprocessors · Retention · Security · Enterprise
Contact cs@thrive.fi with subject line "Due diligence request".