ThorStackThorStack

Security & compliance

Compliance is a feature,
not a tax.

ThorStack is SOC 2 Type II certified and aligned with GDPR, UK GDPR, NDPA, and ISO 27001. Every customer gets a dedicated per-tenant deployment — your own database, your own region, your own audit log.

Security

How we protect customer data and platform infrastructure against unauthorized access, misuse, or modification — covered by our SOC 2 Type II report.

Availability

How we keep the platform operational and recoverable. Uptime SLA up to 99.99% on Sovereign, with 24/7 on-call rotations.

Confidentiality

Customer data is isolated per tenant, encrypted in transit and at rest, and never used to train shared AI models.

Per-tenant by default

Your data, your tenant,
your governance.

Most SaaS products run all customers on shared infrastructure with row-level isolation. ThorStack does the opposite — dedicated infrastructure per customer, configured during onboarding.

Isolated Postgres database

Your data lives in its own database — separate credentials, separate backups, separate retention.

Isolated app & API instances

Compute scales for your tenant alone. No noisy-neighbour incidents from another customer's workload.

Isolated vector store

Per-tenant pgvector embeddings; AI memory never crosses tenant boundaries.

Isolated object storage

Per-tenant S3 prefix with separate IAM scopes.

Pick your region

EU or US on Studio. Any region we operate in (NA, EU, APAC, AF) on Operator and above.

Bring your own cloud

Sovereign customers deploy in their AWS, GCP, Azure, or bare-metal Kubernetes — we never see the data plane.

Compliance posture

Audited, signed,
documented.

SOC 2 Type II
Audited annually
Read more →
GDPR
Compliant by design
Read more →
UK GDPR
Compliant by design (SCCs)
Read more →
NDPA
Compliant by design (Nigeria)
Read more →
ISO 27001
Controls aligned · cert in progress (Q4 2026)
Read more →
HIPAA
BAA available (Operator+)
Read more →

Controls in scope

How we run security,
in the open.

Access control

  • Role-based access (admin / operator / viewer)
  • Mandatory MFA for all internal personnel
  • Quarterly access reviews
  • SSO + SAML on Operator+, SCIM on Sovereign

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 for data at rest
  • BYOK (customer-managed keys) on Sovereign

Tenancy isolation

  • Dedicated Postgres + app + vector store + storage prefix
  • Logical and network-level separation per tenant
  • Per-tenant credentials, backups, and audit log

Logging & monitoring

  • Per-tenant audit logs (1 year on Studio, unlimited on Operator+)
  • Real-time security event monitoring
  • SIEM export on Sovereign

Vulnerability management

  • Automated SAST + dependency scanning in CI
  • Quarterly external penetration testing
  • Coordinated disclosure / bug bounty

Data residency

  • EU or US on Studio
  • Any region we operate in on Operator+
  • Bring-your-own-cloud (any region you control) on Sovereign

Request the report

SOC 2 Type II report
under NDA.

The full SOC 2 Type II report and our most recent penetration-test summary are available under a mutual NDA. Email security with the legal name of your organization and the reviewing party — we'll send our standard NDA within two business days.

security@thorstack.comRead the SOC 2 summary

Vulnerability disclosure: also security@thorstack.com. We respond within one business day and credit reporters in our release notes when desired.

Ready for a stack
built around you?

Every ThorStack deployment starts with a 30-minute call. Tell us how you operate — we'll show you what your stack would look like.

Book a demoChat with us