Trust Center
Throughline · security & privacy posture
Last updated: 2026-05-05. This page summarises Throughline's security and privacy practices for procurement and security review. The deeper structural privacy document covers data flows + retention in detail. The same source content lives in the repo at docs/soc2/trust-center.md for vendor questionnaires.
Posture summary
- Data residency: primary database (Neon Postgres) in US-East by default; on-prem Docker Compose available for customers requiring self-hosted (Phase 11.5).
- Encryption in transit: TLS 1.3 only; HSTS preloaded; all internal service-to-service calls go through TLS-terminated endpoints.
- Encryption at rest: AES-256-GCM via envelope (KEK→DEK) for OAuth tokens, SSO client secrets, verification private keys. Database disks encrypted at the cloud provider layer.
- Access controls: three-role teamspaces (owner / admin / member). SSO via OIDC (enterprise tier). Per-integration API keys + revocation. Operator magic-link auth.
- Compliance: SOC-2 Type 1 in progress (Vanta-managed). GDPR data-subject endpoints (export + delete) live since Phase 7.5.
Subprocessors
Throughline uses the following subprocessors to deliver the service. Customers can subscribe to subprocessor-change updates via the security@throughline.dev mailing list (30-day notice for material additions).
| Vendor | Purpose | Region | Data exposed |
|---|---|---|---|
| Vercel | API + admin web hosting | US (multi-region edge) | Application traffic; no app-data at rest |
| Neon | Postgres database (commitments, audit, members) | US-East (configurable) | All app data at rest, encrypted |
| Inngest | Durable workflow orchestration | US | Job arguments and intermediate state |
| Vercel AI Gateway | LLM gateway for noop-gate, classifier, injection-defense | US-East | Capture intent text + integrator rules at inference time |
| Anthropic | Underlying LLM (Claude via AI Gateway) | US | Same as above |
| Resend | Outbound email delivery | US | Recipient email + message body |
| Telnyx | Outbound SMS delivery | US/UK | Recipient phone + message body |
| Twilio | WhatsApp Business API delivery | US | Recipient phone + message body |
| Vapi | Outbound voice (only on enterprise + verified) | US | Recipient phone + call transcript |
| Firebase Cloud Messaging | Mobile push notifications | US | Device tokens + push payload |
| Slack | Slack DM channel (when integrator opts in) | Customer Slack workspace region | Recipient Slack ID + message body |
| Microsoft Teams | Teams DM channel (when integrator opts in) | Customer M365 region | Recipient Teams ID + message body |
| Calendar OAuth + push notifications (Phase 5) | US/EU per Google policy | Calendar event metadata; OAuth tokens encrypted at rest |
Data retention
Audit retention defaults to 7 years (most enterprise contracts require it). Each teamspace can configure down to 90 days for GDPR-strict workloads; lower than 90 is rejected at write time. Other data classes retain per the table below.
| Artefact | Default retention | Configurable |
|---|---|---|
| Audit log events | 7 years (2555 days) | Down to 90 days per teamspace |
| OAuth tokens (Google Calendar, etc.) | Until user revokes | Auto-purged on user deletion |
| Commitments + campaigns | 1 year past close | GDPR purge endpoint clears earlier |
| Touch / channel delivery records | Same as parent campaign | Inherits |
| LLM inference logs | 0 days at Throughline | Vercel AI Gateway settings on customer account |
Encryption
- OAuth tokens (Google Calendar, future integrations) — AES-256-GCM with per-row DEKs wrapped under a master KEK. The KEK is sourced from
THROUGHLINE_TOKEN_ENCRYPTION_KEY(32-byte base64), held only in the application's runtime secret store. Wire formatv1:<iv>:<ct||tag>with a version byte for future algorithm rotation. - SSO client secrets — same envelope. The secret is decrypted only at the OIDC token-exchange call site; it never appears in logs, API responses, or audit payloads.
- Verification private keys — same envelope. Phase 7.1 migration moved these out of the integration config JSON blob and into a dedicated table.
- Database disks + backups — AES-256 encryption at the Neon platform layer; backups encrypted with the same keys.
Access controls
- Teamspace roles — owner / admin / member. Owner-only actions: SSO config, billing, teamspace deletion, owner-role assignment. The last-owner invariant prevents accidental owner removal (returns 409 LAST_OWNER).
- SSO via OIDC (enterprise tier) — discovery, PKCE, JWS-verified id_tokens, JIT provisioning with domain-allow-list. Owner role is intentionally not delegable to the IdP — promotion happens explicitly.
- Per-integration API keys — Phase 7.0 keys (
tl_live_<prefix>_<secret>) replace the legacy slug auth. Plaintext shown once; SHA-256 hashed at rest. Revoke is soft (setsrevokedAt) so audit attribution survives rotation. - Throughline operator auth — magic-link to a configured operator email, exchanged for a session token (
tl_op_…). 30-day session TTL. Replaces the legacy shared admin token (still available during the transition window).
Compliance status
- GDPR. Data-subject export + delete endpoints live (Phase 7.5). DPA available on request.
- SOC-2 Type 1. In progress with Vanta-managed controls (decision #13). Target audit window: 2026 H2.
- HIPAA. Not in scope. Throughline does not handle PHI by design; integrators routing health-related commitment text are responsible for keeping PHI out of the
intentfield. - CCPA/CPRA. Same data-subject endpoints satisfy access + deletion requests for California residents.
Vulnerability disclosure
Security researchers can report vulnerabilities to security@throughline.dev. Our public security.txt lives at /.well-known/security.txt (Phase 7.7). Coordinated disclosure is preferred; please allow 90 days before publishing.