Security
How we protect customer data, credentials, and platform integrity.
| Control area | Implementation |
|---|---|
| Transport encryption | TLS 1.2+ on all endpoints. HSTS enabled in production. |
| Exchange API keys | AES-256 encryption at rest. Read-only scopes enforced in UI. No withdrawal permissions requested. |
| Authentication | Industry-standard sessions, MFA available, bot protection on auth routes. |
| Authorization | Row-level security on user data. Admin routes require explicit auth + role checks. |
| Secrets | Environment variables only — never in source control. Documented rotation runbooks. |
| Rate limiting | Redis-backed rate limits on sensitive API routes and checkout endpoints. |
| Webhooks | Payment and identity webhook signatures verified on every request. |
| Bot / abuse | Multi-layer bot detection, scraper guards on public API routes. |
| Error monitoring | Production error tracking — metadata only; journal bodies and API keys excluded from payloads. |
| CI security | Automated security check script on cron auth, admin guards, and sensitive patterns. |
| Disaster recovery | Point-in-time database recovery, documented DR runbook, quarterly restore drills. |
Business continuity
- RPO: ≤ 5 minutes (point-in-time recovery)
- RTO: ≤ 4 hours for full platform restore (target)
- Status: thrive.fi/status
Certifications roadmap
SOC 2 Type I is on our acquisition-readiness roadmap. Current controls align with SOC 2 Trust Service Criteria for Security and Confidentiality. Penetration testing is scheduled prior to enterprise tier launch. Request our security questionnaire (SIG Lite / CAIQ) at cs@thrive.fi with subject "Security questionnaire".
Report a vulnerability
See our Vulnerability Disclosure Policy or email security@thrive.fi.