Usamos cookies essenciais para login e armazenamento local para suas preferências. Para métricas de uso, usamos o Google Analytics 4 — você pode recusar sem perder nada do produto. Saber mais

ThreadMineThreadMine
Back
This is a courtesy translation. The Portuguese version prevails in case of any discrepancy.

For security teams

Security

Built with devs and SREs who upload sensitive data in mind. Here, on a single page, is what we do to protect your dumps and account data — and what is still on the roadmap.

This page exists to answer, in a few questions, whether you can approve using ThreadMine on your team. Each section describes a control that is already live or an item explicitly on the roadmap. We do not use aspirational language as if it were a finished control; when something is not implemented, it says so.

If an answer about a specific control is missing, write to security@threadmine.dev — we reply with the technical detail you need.

1. Security posture overview

ThreadMine is a multi-tenant SaaS for analyzing JVM thread dumps. The attack surface we care about most: (a) the content of the dumps (which may contain snippets of internal classes and sensitive stack traces), (b) access credentials, (c) AI provider API keys. The controls below cover these three categories.

  • Transport: TLS 1.3 required, HSTS enabled, HTTP redirected to HTTPS.
  • At rest: bcrypt hashing for passwords and AES-256-GCM for sensitive column secrets (API keys, AI config).
  • Access: short-lived JWT + refresh in an httpOnly cookie, RBAC per workspace.
  • Auditing: changes to sensitive entities recorded in log_alteracao with automatic masking of secret fields.
  • AI: an explicit no-training policy with Anthropic and Google; the admin can disable AI entirely.

2. Encryption in transit

TLS 1.3 required

All public traffic (website and API) uses TLS 1.3 with Let's Encrypt certificates renewed automatically. Earlier TLS versions are disabled at the origin.

HSTS enabled in production

We serve the Strict-Transport-Security header with a max-age of 1 year and includeSubDomains. Browsers refuse to fall back to HTTP after the first visit.

HTTP to HTTPS redirect

Any request arriving on port 80 is redirected with a 301 to HTTPS before it reaches the application.

3. Encryption at rest

Data is protected in layers, with specific algorithms per type of secret:

  • User passwords: BCrypt hash with 10 rounds. We never store the password in clear text nor log passwords at any stage.
  • Internal API keys (workspace): encrypted with AES-256-GCM via CifraUtil, using a key managed separately from the database credentials.
  • LLM provider API keys: the apiKeyCifrada field of the ConfigLlm entity is encrypted with AES-GCM. Only the AI service decrypts it in memory at call time.
  • Database: Postgres on a managed volume. Disk-level encryption and column-level TDE are on the roadmap for the Enterprise plan.
  • Dump storage: during the beta, temporary dumps live in storage managed by FELIPE MASCHIO TECHNOLOGY LTDA (a dedicated volume). SSE-S3/SSE-KMS with a customer-managed key are on the roadmap for the Enterprise plan.

4. Retention policy

Raw dumps are temporary

The raw content of the thread dump you upload is deleted after processing by default. We keep only the analysis result (metadata and detected problems), never the original stack trace beyond the TTL.

Dump TTL

Today, during the beta, raw dumps expire in 7 days on all plans. Extended retention per plan (Pro, Team, Enterprise) and a per-workspace configurable TTL are on the roadmap.

Automated cleanup job

A daily job removes expired dumps (delivered in S1.5). Removal is a hard delete: we keep no logical copy nor soft-delete of the raw files after the TTL.

5. AI policy — dumps never become a dataset

We do not use your dumps to train our models. Nor do we hand them to third parties for that. We do not train a model of our own. The subprocessors that run inference have a contractual no-training policy:

  • Anthropic (Claude): default policy of not using API inputs for model training.
  • Google (Gemini API): default policy of not using paid API inputs for model training.

Should one of the providers change this policy, we will stop offering it as an option in the panel and migrate to an equivalent alternative. The workspace admin can completely disable AI analysis — in that mode no data is sent to any LLM provider. Details in the AI Policy.

6. Full audit log

Changes to sensitive entities

Changes to Workspace, MembroWorkspace, ConviteWorkspace, ApiKey, Usuario and ConfigLlm are recorded in log_alteracao with author, timestamp and diff.

Automatic masking of secrets

Sensitive fields — passwordHash, apiKey, secret, token — appear in the snapshot as "***". The real content is never written to the log.

Queryable panel for admins

The log is accessible at /admin/auditoria with filters by entity, author and period. Audit log retention is unlimited by default for compliance.

7. Authentication and access control

Short-lived JWT + refresh in httpOnly cookie

JWT access token valid for 15 minutes. Refresh token stored in a Secure httpOnly cookie valid for 30 days. The frontend never accesses the refresh token via JavaScript — protection against XSS.

MFA via TOTP (roadmap)

A second factor via TOTP (compatible with Google Authenticator, Authy, 1Password and any RFC 6238 authenticator) is on the roadmap — not yet available in the beta.

RBAC per workspace

Four roles per workspace: Admin, Maintainer, Analyst and Viewer. Every backend endpoint validates the role before touching the repository. Workspace-scoped resources have a mandatory workspaceId filter in the query.

Global rate limiting

Sensitive endpoints (login, sign-up, password reset, upload) have a global rate limit applied via Redis (delivered in S1.12). Limits are configurable per endpoint in production.

Mandatory email verification

A newly created account cannot log in without confirming the email (delivered in S2.5). The link expires in 24h. This blocks accounts farmed with disposable email to abuse the limits.

8. LGPD — data subject rights

The LGPD (Art. 18) grants you, as the data subject, the rights below. All are actionable self-service at /app/perfil/dados or by emailing the DPO:

  • Access: download a full copy of your data in JSON.
  • Correction: edit your name, email and other fields from your own profile.
  • Portability: export in the open JSON format to migrate to another provider.
  • Deletion: delete your account and associated data; we remove it within 30 days, except for records we are legally required to keep.

FELIPE MASCHIO TECHNOLOGY LTDA's DPO: dpo@threadmine.dev.

Cookie policy: we use essential cookies (authentication and interface preferences) and Google Analytics 4 (GA4) for usage metrics and campaign measurement. No GTM and no third-party marketing pixels beyond our own measurement. Full details in the Privacy Policy.

9. Report a vulnerability

Found something? Send an email

Report vulnerabilities to security@threadmine.dev. We respond within 2 business days with a remediation plan. We ask for responsible coordinated disclosure — a 90-day window before publication.

Bug bounty in planning

A formal bug bounty program (HackerOne or similar) is on the roadmap after GO LIVE. Until then, we publicly credit reporters in the changelog with their consent.

10. Compliance roadmap

SOC 2 Type II

In planning for Q4 2026. A pre-phase audit has already started to map controls and gaps. Trust Services Criteria in focus: Security and Confidentiality.

GDPR — DPA on request

For customers in the EU: a DPA (Data Processing Agreement) is available on request at legal@threadmine.dev. Subprocessors are listed in the Privacy Policy.

HIPAA-ready

We are assessing demand from healthcare customers. No BAA is available today. If you have a specific need, write to legal@threadmine.dev.

11. More questions?

For questions about AI and dump handling, see the AI Policy.

For questions about personal data, see the Privacy Policy.

Anything else: security@threadmine.dev.

Last updated: May 20, 2026