For security teams
Security
Built with devs and SREs who upload sensitive data in mind. Here, on a single page, is what we do to protect your dumps and account data — and what is still on the roadmap.
This page exists to answer, in a few questions, whether you can approve using ThreadMine on your team. Each section describes a control that is already live or an item explicitly on the roadmap. We do not use aspirational language as if it were a finished control; when something is not implemented, it says so.
If an answer about a specific control is missing, write to security@threadmine.dev — we reply with the technical detail you need.
1. Security posture overview
ThreadMine is a multi-tenant SaaS for analyzing JVM thread dumps. The attack surface we care about most: (a) the content of the dumps (which may contain snippets of internal classes and sensitive stack traces), (b) access credentials, (c) AI provider API keys. The controls below cover these three categories.
- Transport: TLS 1.3 required, HSTS enabled, HTTP redirected to HTTPS.
- At rest: bcrypt hashing for passwords and AES-256-GCM for sensitive column secrets (API keys, AI config).
- Access: short-lived JWT + refresh in an httpOnly cookie, RBAC per workspace.
- Auditing: changes to sensitive entities recorded in
log_alteracaowith automatic masking of secret fields. - AI: an explicit no-training policy with Anthropic and Google; the admin can disable AI entirely.
2. Encryption in transit
TLS 1.3 required
HSTS enabled in production
Strict-Transport-Security header with a max-age of 1 year and includeSubDomains. Browsers refuse to fall back to HTTP after the first visit.HTTP to HTTPS redirect
3. Encryption at rest
Data is protected in layers, with specific algorithms per type of secret:
- User passwords: BCrypt hash with 10 rounds. We never store the password in clear text nor log passwords at any stage.
- Internal API keys (workspace): encrypted with AES-256-GCM via
CifraUtil, using a key managed separately from the database credentials. - LLM provider API keys: the
apiKeyCifradafield of theConfigLlmentity is encrypted with AES-GCM. Only the AI service decrypts it in memory at call time. - Database: Postgres on a managed volume. Disk-level encryption and column-level TDE are on the roadmap for the Enterprise plan.
- Dump storage: during the beta, temporary dumps live in storage managed by FELIPE MASCHIO TECHNOLOGY LTDA (a dedicated volume). SSE-S3/SSE-KMS with a customer-managed key are on the roadmap for the Enterprise plan.
4. Retention policy
Raw dumps are temporary
Dump TTL
Automated cleanup job
5. AI policy — dumps never become a dataset
We do not use your dumps to train our models. Nor do we hand them to third parties for that. We do not train a model of our own. The subprocessors that run inference have a contractual no-training policy:
- Anthropic (Claude): default policy of not using API inputs for model training.
- Google (Gemini API): default policy of not using paid API inputs for model training.
Should one of the providers change this policy, we will stop offering it as an option in the panel and migrate to an equivalent alternative. The workspace admin can completely disable AI analysis — in that mode no data is sent to any LLM provider. Details in the AI Policy.
6. Full audit log
Changes to sensitive entities
Workspace, MembroWorkspace, ConviteWorkspace, ApiKey, Usuario and ConfigLlm are recorded in log_alteracao with author, timestamp and diff.Automatic masking of secrets
passwordHash, apiKey, secret, token — appear in the snapshot as "***". The real content is never written to the log.Queryable panel for admins
/admin/auditoria with filters by entity, author and period. Audit log retention is unlimited by default for compliance.7. Authentication and access control
Short-lived JWT + refresh in httpOnly cookie
MFA via TOTP (roadmap)
RBAC per workspace
workspaceId filter in the query.Global rate limiting
Mandatory email verification
8. LGPD — data subject rights
The LGPD (Art. 18) grants you, as the data subject, the rights below. All are actionable self-service at /app/perfil/dados or by emailing the DPO:
- Access: download a full copy of your data in JSON.
- Correction: edit your name, email and other fields from your own profile.
- Portability: export in the open JSON format to migrate to another provider.
- Deletion: delete your account and associated data; we remove it within 30 days, except for records we are legally required to keep.
FELIPE MASCHIO TECHNOLOGY LTDA's DPO: dpo@threadmine.dev.
Cookie policy: we use essential cookies (authentication and interface preferences) and Google Analytics 4 (GA4) for usage metrics and campaign measurement. No GTM and no third-party marketing pixels beyond our own measurement. Full details in the Privacy Policy.
9. Report a vulnerability
Found something? Send an email
Bug bounty in planning
10. Compliance roadmap
SOC 2 Type II
GDPR — DPA on request
HIPAA-ready
11. More questions?
For questions about AI and dump handling, see the AI Policy.
For questions about personal data, see the Privacy Policy.
Anything else: security@threadmine.dev.