Security Whitepaper
Last updated: March 2026
1. Architecture overview
Threadsovereign is a multi-tenant SaaS application. The marketing site (threadsovereign.co.uk) is separated from the production application (threadsovereign.io). Customer data is stored in UK/EU-region infrastructure with encryption in transit (TLS 1.2+) and at rest.
2. Identity and access
- Role-based access control within each organisation workspace
- Session management with secure cookie handling on the app domain
- Enterprise SSO available on request (SAML/OIDC)
- API keys restricted to Enterprise tier with scoped permissions
3. Data handling
Building safety documentation uploaded by customers remains the property of the customer. We do not use customer compliance data to train third-party AI models. Audit logs record material actions on safety-critical records.
4. Operational security
- Dependency and vulnerability monitoring on application codebases
- Segregation between staging and production environments
- Backups with tested restore procedures
- Incident response process with customer notification for data breaches
5. Certifications
Threadsovereign is pursuing Cyber Essentials Plus, SOC 2 Type II, and ISO 27001 certification. Current status is disclosed honestly in our Trust Centre — items marked "in progress" are not yet certified.
6. Contact
Security enquiries and responsible disclosure: security@threadsovereign.co.uk