Encryption & secrets
AES-256 at rest, TLS 1.2+ in transit, per-tenant KMS keys, and a separate vault for OAuth tokens and LLM keys.
At rest
All tenant data is encrypted at rest with AES-256-GCM. Each tenant has its own KMS key (AWS KMS or equivalent) so cross-tenant blast radius from a key compromise is zero. Backup snapshots are encrypted with the same per-tenant key.
In transit
Internal and external traffic uses TLS 1.2 or higher with modern ciphers. HSTS is on. Internal service-to-service calls use mTLS with short-lived certs rotated every 24 hours.
Secrets vault
OAuth tokens, LLM provider keys, and webhook signing secrets live in a separate secrets vault — not in the database. The vault is HashiCorp Vault (or AWS Secrets Manager on Sovereign tenants that prefer it). Reads are logged; writes are gated.
Key rotation
| Key | Rotation cadence |
|---|---|
| KMS data keys | Auto-rotated annually |
| TLS certificates | Auto-renewed every 60 days |
| Internal mTLS certs | Every 24 hours |
| OAuth tokens | Refreshed per provider's TTL |
| LLM provider keys | Manually rotated by the customer; ThorStack notifies on staleness |
You can rotate your KMS data key on demand from Settings → Security → Encryption. Re-encryption is online and transparent.
Backups
Backups run continuously (PITR for the database) with a default retention of 35 days. Backups are encrypted with the same per-tenant KMS key — restoring a backup does not require additional key material beyond what already exists.
Disclosure
Security disclosures go to security@thorstack.com with our PGP key published at /security. We acknowledge within one business day and run a bug-bounty program with severity-tiered rewards.
Next
- Audit logs — every secret read is logged.
- SOC 2 controls — the compliance umbrella.
- Bring your own LLM — where keys are stored.