Skip to content
Closed beta. Access is invite-only right now. Request access.

Security

Security at Thothly

Thothly is built on Django and hosted in Australia using Supabase PostgreSQL. We enforce HTTPS everywhere, hash passwords with PBKDF2, offer TOTP-based two-factor authentication, and follow Australian Privacy Principles to keep your professional development data safe.

Request audit materials {{PLACEHOLDER:audit_request_url}}

Security highlights

Certifications

Claimed — evidence required
{{PLACEHOLDER:certs_summary}}

Penetration testing

Last test: {{PLACEHOLDER:pentest_highlight_date}}. No critical findings open.

Encryption

All traffic over HTTPS with HSTS enforced. Data encrypted at rest by cloud provider. Passwords hashed with PBKDF2 + salt.

Authentication

TOTP-based MFA available for all users. Rate-limited login with temporary lockouts. Signed session cookies with Secure, HttpOnly, SameSite flags.

Contact and vulnerability disclosure

Security contact

Report security issues to {{PLACEHOLDER:security_email}}. Please do not use public issue trackers for security reports.

PGP / GPG key

For encrypted communications, use our PGP key:

{{PLACEHOLDER:pgp_key_block_or_url}}

Vulnerability disclosure policy

Read the full policy at {{PLACEHOLDER:vd_policy_url}}.

{{PLACEHOLDER:vd_policy_summary}}

Bug bounty

{{PLACEHOLDER:bug_bounty_program_url_or_none}}

Safe harbour

We consider security research conducted in good faith to be authorised and will not pursue legal action against researchers who follow our disclosure policy. We ask that you make a good-faith effort to avoid privacy violations, data destruction, and service disruption during your research. We will work with you to understand and resolve issues quickly.

Certifications & audits

Certification Status Auditor Scope Date
SOC 2 Type II Claimed — evidence required
{{PLACEHOLDER:soc2_status_and_link}}
{{PLACEHOLDER:soc2_auditor}} {{PLACEHOLDER:soc2_scope}} {{PLACEHOLDER:soc2_date}}
ISO 27001 Claimed — evidence required
{{PLACEHOLDER:iso27001_status_and_link}}
{{PLACEHOLDER:iso27001_auditor}} {{PLACEHOLDER:iso27001_scope}} {{PLACEHOLDER:iso27001_date}}

Requesting full reports

Customers and prospective customers can request full audit reports under NDA. {{PLACEHOLDER:audit_report_request_process}}

Penetration testing & vulnerability management

Latest penetration test

Date: {{PLACEHOLDER:pentest_date}}
Scope: {{PLACEHOLDER:pentest_scope}}

Executive summary

View executive summary
{{PLACEHOLDER:pentest_exec_summary}}

Remediation SLA

{{PLACEHOLDER:pentest_remediation_sla}}

Dependency & CVE policy

Dependencies are pinned and managed with pip-tools. Automated alerts via Dependabot and pip-audit flag known vulnerabilities. Critical CVEs are triaged within 24 hours.

Technical controls

Encryption & transport

  • HTTPS / HSTS: enforced on all connections. HSTS header includes max-age and includeSubDomains.
  • TLS versions: {{PLACEHOLDER:tls_versions_supported}}
  • Encryption at rest: database volumes encrypted by cloud provider. Algorithms: {{PLACEHOLDER:encryption_at_rest_algorithms}}
  • Key management: {{PLACEHOLDER:key_management_provider_and_rotation_policy}}
  • Customer-managed keys: {{PLACEHOLDER:cust_kms_option}}
  • Passwords: hashed with PBKDF2 + per-user salt. Never stored in plaintext.
  • Uploaded files: stored in private buckets and served via signed, time-limited URLs.

Authentication & authorisation

  • SSO: {{PLACEHOLDER:sso_saml_oidc_guide_link}}
  • MFA: TOTP-based two-factor authentication is available for all accounts. Backup codes provided at enrolment.
  • RBAC: role-based access control with object-level permission checks. Supervisees control visibility to linked supervisors. Supervisors have read-only access by default.
  • Session TTL: {{PLACEHOLDER:session_ttl}}
  • Login protection: rate-limited with temporary account/IP lockouts after repeated failures (django-axes). CSRF protection enabled on all forms.

API & application hardening

  • API auth: {{PLACEHOLDER:api_auth_scheme}}
  • Rate limiting: {{PLACEHOLDER:api_rate_limits}}
  • Security headers: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy headers configured via Django middleware.
  • WAF / DDoS: {{PLACEHOLDER:waf_ddos_provider}}
  • Input validation: Django ORM parameterisation prevents SQL injection. All user input validated through Django forms. Template auto-escaping prevents XSS. File uploads restricted by type and size.

Logging & monitoring

  • SIEM: {{PLACEHOLDER:siem_provider}}
  • Log retention: {{PLACEHOLDER:log_retention_period}}
  • Access controls: application logs record authentication events, share link creation, sign-off approvals/declines and permission changes. Admin-only access to raw logs.
  • Tamper protection: {{PLACEHOLDER:log_tamper_protection}}
  • Uptime monitoring: health-check endpoint with external uptime monitoring.

Backups & disaster recovery

  • Backups: automated daily database backups via Supabase. Backups encrypted by provider.
  • RTO: {{PLACEHOLDER:rto}}
  • RPO: {{PLACEHOLDER:rpo}}
  • DR test cadence: {{PLACEHOLDER:dr_test_cadence}}
  • Restoration: access to backups restricted to admin. Backups are not used for routine account restoration.

Secure development & supply chain

Secure SDLC

  • Threat modelling: performed for new features and reviewed at major releases.
  • SAST: static analysis integrated into CI. Code reviewed before merge.
  • DAST: {{PLACEHOLDER:dast_tooling}}
  • Dependency scanning: Dependabot and pip-audit in CI pipeline. Pinned dependencies via pip-tools.
  • CI/CD hardening: secrets stored in environment variables, never in code. DEBUG mode disabled in production. Separate databases for dev/staging with no real user data.

Subprocessors

A current list of subprocessors is available at {{PLACEHOLDER:subprocessors_list_url}}. Key providers include Supabase (database & hosting), Stripe (payments), and Google Analytics (product analytics).

Incident response

IR plan summary

{{PLACEHOLDER:ir_plan_summary}}

Our response follows five phases: containment, assessment, notification, eradication & recovery, and post-incident review. Detailed audit logs assist scope determination. Systems may be taken offline to prevent further intrusion if required.

Notification timeline

{{PLACEHOLDER:notification_timeline}} Under the Notifiable Data Breaches scheme (Privacy Act 1988), we notify affected users and the Office of the Australian Information Commissioner (OAIC) when required.

Post-incident reporting

After resolution, we conduct a post-incident review to identify root cause and update security controls. Affected customers receive a written summary of findings and remediation steps.

IR contact

{{PLACEHOLDER:ir_contact}}

Assurance & evidence

Available under NDA

  • SOC 2 Type II report
  • Penetration test executive summary
  • Business continuity and disaster recovery plan
  • Data processing agreement (DPA)
  • Subprocessor list with data-flow diagrams

To request these materials, please submit an NDA request at {{PLACEHOLDER:nda_request_url}} or contact us via the audit materials button above.

Regulatory

Thothly aligns with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. We map controls to APP requirements and ensure data handling meets AHPRA/PsyBA guidance on electronic record-keeping.

Full regulatory mapping is available at /regulatory/. For regulatory enquiries, contact {{PLACEHOLDER:regulatory_contact_email}}.

Red flags & mitigations

Common vendor security red flags and how Thothly addresses each one.

Red flag Thothly mitigation
No encryption at rest Database volumes encrypted by cloud provider. Passwords hashed with PBKDF2. Uploaded files in private buckets with signed URLs. {{PLACEHOLDER:rf_encryption_details}}
No MFA support TOTP-based MFA with backup codes available for all accounts. {{PLACEHOLDER:rf_mfa_details}}
Data hosted outside jurisdiction Primary database and infrastructure hosted in Australia via Supabase's Australian region. {{PLACEHOLDER:rf_data_residency_details}}
No penetration testing Regular penetration tests performed. Executive summary available under NDA. {{PLACEHOLDER:rf_pentest_details}}
No incident response plan Documented IR plan with five-phase response. Aligns with Notifiable Data Breaches scheme. {{PLACEHOLDER:rf_ir_details}}
No vulnerability disclosure process Dedicated security contact, responsible disclosure policy, and safe harbour statement for researchers. {{PLACEHOLDER:rf_disclosure_details}}
Outdated dependencies Pinned dependencies, Dependabot alerts, pip-audit in CI. Critical CVEs triaged within 24 hours. {{PLACEHOLDER:rf_dependency_details}}
No data export or portability CSV exports for all users. PDF exports for paid users. XLSX exports on Enterprise plans. Full account deletion available.

Last updated: 7 March 2026