Closed beta.
Access is invite-only right now.
Request access.
Security highlights
Certifications
Claimed — evidence required
{{PLACEHOLDER:certs_summary}}
Penetration testing
Last test: {{PLACEHOLDER:pentest_highlight_date}}. No critical findings open.
Encryption
All traffic over HTTPS with HSTS enforced. Data encrypted at rest by cloud provider. Passwords hashed with PBKDF2 + salt.
Authentication
TOTP-based MFA available for all users. Rate-limited login with temporary lockouts. Signed session cookies with Secure, HttpOnly, SameSite flags.
Contact and vulnerability disclosure
Security contact
Report security issues to
{{PLACEHOLDER:security_email}}.
Please do not use public issue trackers for security reports.
PGP / GPG key
For encrypted communications, use our PGP key:
{{PLACEHOLDER:pgp_key_block_or_url}}
Vulnerability disclosure policy
Read the full policy at
{{PLACEHOLDER:vd_policy_url}}.
{{PLACEHOLDER:vd_policy_summary}}
Bug bounty
{{PLACEHOLDER:bug_bounty_program_url_or_none}}
Safe harbour
We consider security research conducted in good faith to be authorised and will not pursue legal action
against researchers who follow our disclosure policy. We ask that you make a good-faith effort to avoid
privacy violations, data destruction, and service disruption during your research. We will work with you
to understand and resolve issues quickly.
Certifications & audits
| Certification |
Status |
Auditor |
Scope |
Date |
| SOC 2 Type II |
Claimed — evidence required
{{PLACEHOLDER:soc2_status_and_link}}
|
{{PLACEHOLDER:soc2_auditor}} |
{{PLACEHOLDER:soc2_scope}} |
{{PLACEHOLDER:soc2_date}} |
| ISO 27001 |
Claimed — evidence required
{{PLACEHOLDER:iso27001_status_and_link}}
|
{{PLACEHOLDER:iso27001_auditor}} |
{{PLACEHOLDER:iso27001_scope}} |
{{PLACEHOLDER:iso27001_date}} |
Requesting full reports
Customers and prospective customers can request full audit reports under NDA.
{{PLACEHOLDER:audit_report_request_process}}
Penetration testing & vulnerability management
Latest penetration test
Date: {{PLACEHOLDER:pentest_date}}
Scope: {{PLACEHOLDER:pentest_scope}}
Executive summary
View executive summary
{{PLACEHOLDER:pentest_exec_summary}}
Remediation SLA
{{PLACEHOLDER:pentest_remediation_sla}}
Dependency & CVE policy
Dependencies are pinned and managed with pip-tools.
Automated alerts via Dependabot and pip-audit
flag known vulnerabilities. Critical CVEs are triaged within 24 hours.
Technical controls
Encryption & transport
- HTTPS / HSTS: enforced on all connections. HSTS header includes
max-age and includeSubDomains.
- TLS versions: {{PLACEHOLDER:tls_versions_supported}}
- Encryption at rest: database volumes encrypted by cloud provider. Algorithms: {{PLACEHOLDER:encryption_at_rest_algorithms}}
- Key management: {{PLACEHOLDER:key_management_provider_and_rotation_policy}}
- Customer-managed keys: {{PLACEHOLDER:cust_kms_option}}
- Passwords: hashed with PBKDF2 + per-user salt. Never stored in plaintext.
- Uploaded files: stored in private buckets and served via signed, time-limited URLs.
Authentication & authorisation
- SSO: {{PLACEHOLDER:sso_saml_oidc_guide_link}}
- MFA: TOTP-based two-factor authentication is available for all accounts. Backup codes provided at enrolment.
- RBAC: role-based access control with object-level permission checks. Supervisees control visibility to linked supervisors. Supervisors have read-only access by default.
- Session TTL: {{PLACEHOLDER:session_ttl}}
- Login protection: rate-limited with temporary account/IP lockouts after repeated failures (django-axes). CSRF protection enabled on all forms.
API & application hardening
- API auth: {{PLACEHOLDER:api_auth_scheme}}
- Rate limiting: {{PLACEHOLDER:api_rate_limits}}
- Security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers configured via Django middleware.
- WAF / DDoS: {{PLACEHOLDER:waf_ddos_provider}}
- Input validation: Django ORM parameterisation prevents SQL injection. All user input validated through Django forms. Template auto-escaping prevents XSS. File uploads restricted by type and size.
Logging & monitoring
- SIEM: {{PLACEHOLDER:siem_provider}}
- Log retention: {{PLACEHOLDER:log_retention_period}}
- Access controls: application logs record authentication events, share link creation, sign-off approvals/declines and permission changes. Admin-only access to raw logs.
- Tamper protection: {{PLACEHOLDER:log_tamper_protection}}
- Uptime monitoring: health-check endpoint with external uptime monitoring.
Backups & disaster recovery
- Backups: automated daily database backups via Supabase. Backups encrypted by provider.
- RTO: {{PLACEHOLDER:rto}}
- RPO: {{PLACEHOLDER:rpo}}
- DR test cadence: {{PLACEHOLDER:dr_test_cadence}}
- Restoration: access to backups restricted to admin. Backups are not used for routine account restoration.
Secure development & supply chain
Secure SDLC
- Threat modelling: performed for new features and reviewed at major releases.
- SAST: static analysis integrated into CI. Code reviewed before merge.
- DAST: {{PLACEHOLDER:dast_tooling}}
- Dependency scanning: Dependabot and pip-audit in CI pipeline. Pinned dependencies via pip-tools.
- CI/CD hardening: secrets stored in environment variables, never in code. DEBUG mode disabled in production. Separate databases for dev/staging with no real user data.
Subprocessors
A current list of subprocessors is available at
{{PLACEHOLDER:subprocessors_list_url}}.
Key providers include Supabase (database & hosting), Stripe (payments), and Google Analytics (product analytics).
Incident response
IR plan summary
{{PLACEHOLDER:ir_plan_summary}}
Our response follows five phases: containment, assessment,
notification, eradication & recovery, and post-incident review.
Detailed audit logs assist scope determination. Systems may be taken offline to prevent further intrusion if required.
Notification timeline
{{PLACEHOLDER:notification_timeline}}
Under the Notifiable Data Breaches scheme (Privacy Act 1988), we notify affected users and the
Office of the Australian Information Commissioner (OAIC) when required.
Post-incident reporting
After resolution, we conduct a post-incident review to identify root cause and update security
controls. Affected customers receive a written summary of findings and remediation steps.
IR contact
{{PLACEHOLDER:ir_contact}}
Assurance & evidence
Available under NDA
- SOC 2 Type II report
- Penetration test executive summary
- Business continuity and disaster recovery plan
- Data processing agreement (DPA)
- Subprocessor list with data-flow diagrams
To request these materials, please submit an NDA request at
{{PLACEHOLDER:nda_request_url}}
or contact us via the audit materials button above.
Regulatory
Thothly aligns with the Privacy Act 1988 (Cth) and the
Australian Privacy Principles. We map controls to APP requirements and ensure
data handling meets AHPRA/PsyBA guidance on electronic record-keeping.
Full regulatory mapping is available at
/regulatory/.
For regulatory enquiries, contact
{{PLACEHOLDER:regulatory_contact_email}}.
Red flags & mitigations
Common vendor security red flags and how Thothly addresses each one.
| Red flag |
Thothly mitigation |
| No encryption at rest |
Database volumes encrypted by cloud provider. Passwords hashed with PBKDF2. Uploaded files in private buckets with signed URLs. {{PLACEHOLDER:rf_encryption_details}} |
| No MFA support |
TOTP-based MFA with backup codes available for all accounts. {{PLACEHOLDER:rf_mfa_details}} |
| Data hosted outside jurisdiction |
Primary database and infrastructure hosted in Australia via Supabase's Australian region. {{PLACEHOLDER:rf_data_residency_details}} |
| No penetration testing |
Regular penetration tests performed. Executive summary available under NDA. {{PLACEHOLDER:rf_pentest_details}} |
| No incident response plan |
Documented IR plan with five-phase response. Aligns with Notifiable Data Breaches scheme. {{PLACEHOLDER:rf_ir_details}} |
| No vulnerability disclosure process |
Dedicated security contact, responsible disclosure policy, and safe harbour statement for researchers. {{PLACEHOLDER:rf_disclosure_details}} |
| Outdated dependencies |
Pinned dependencies, Dependabot alerts, pip-audit in CI. Critical CVEs triaged within 24 hours. {{PLACEHOLDER:rf_dependency_details}} |
| No data export or portability |
CSV exports for all users. PDF exports for paid users. XLSX exports on Enterprise plans. Full account deletion available. |
Last updated: 7 March 2026