Security

How we protect your data and keep the platform secure.

Infrastructure

Threatcl Cloud is hosted on Google Cloud Platform (GCP) in regions located in the United States. We use managed services including Cloud Run, Cloud SQL, and Cloud Storage to benefit from Google's infrastructure security, including physical security, network isolation, and ongoing compliance certifications.

Encryption

All data is encrypted both in transit and at rest.

  • TLS 1.2+ enforced for all connections to the Service
  • Database storage (Cloud SQL) encrypted at rest with AES-256
  • Object storage (Cloud Storage) encrypted at rest
  • Backups inherit the same encryption guarantees as production storage

Authentication & Access Control

Authentication is handled by Google Firebase Authentication, which provides industry-standard credential storage and identity management. You can sign in using either an OAuth provider or an email and password.

  • OAuth 2.0 via Google, GitHub, and Microsoft — multi-factor authentication is inherited from your identity provider
  • Email and password sign-in via Firebase Authentication — passwords are never stored by Threatcl Cloud directly; Firebase stores them as salted hashes using Google's standard credential storage
  • Role-based access control: owner, admin, member, and viewer roles per organization
  • Scoped API tokens for CLI and automation use cases

Multi-Tenancy & Data Isolation

Threatcl Cloud is a multi-tenant platform. All data is scoped to your organization and isolated at the database level.

  • Every query is scoped to the authenticated user's organization
  • Cross-tenant data access is not possible through the API
  • Organization-level audit logging tracks changes and access

Application Security

  • Authentication is required on all non-public API endpoints
  • Input validation and parameterized queries to prevent injection attacks
  • CORS policies restrict cross-origin requests to authorized domains
  • Session cookies are issued with the Secure, HttpOnly, and SameSite attributes
  • Dependencies are regularly reviewed and updated, with automated alerts for known vulnerabilities

Secure Development

  • All changes go through code review before being merged
  • Continuous integration runs automated tests and dependency checks on every change
  • Secrets and credentials are stored securely and are never committed to source control
  • Production deployments are automated and auditable

Personnel Security

Access to production systems and Customer Data is restricted to a small number of authorised Threatcl Cloud personnel who require it to operate, support, and secure the Service.

  • Multi-factor authentication is enforced on all internal accounts that can reach production
  • Access is granted on a least-privilege basis and reviewed periodically
  • Administrative access is logged for audit purposes

Backups & Disaster Recovery

We take regular automated backups of production data using Google Cloud's managed backup services. Backups are encrypted. In the event of data loss, we can restore from backup. We do not currently publish a formal RTO/RPO; please contact us if you need a specific commitment for an enterprise engagement.

Sub-processors

We rely on a small number of third-party service providers to operate the Service. Our key sub-processors are:

  • Google LLC — Google Cloud Platform (hosting, database, storage, secret management) and Firebase Authentication, United States
  • Stripe, Inc. — payment processing, United States

For more detail on how we handle data shared with sub-processors, see our Privacy Policy.

Incident Response

If we become aware of a security incident affecting your data, we will investigate, contain the issue, and notify affected customers in accordance with our Privacy Policy and applicable law, including the Australian Notifiable Data Breaches scheme and (where applicable) Article 33 of the GDPR.

Compliance

Threatcl Cloud is an early-stage platform and we do not currently hold any independent compliance certifications (such as SOC 2 or ISO 27001). We will update this page as our security posture evolves. If you have specific compliance requirements for your organisation, please contact us at support@threatcl.com.

Reporting a Vulnerability

If you believe you've found a security vulnerability in Threatcl Cloud, we'd appreciate your help in disclosing it responsibly. Please email us at support@threatcl.com with details of the issue, including steps to reproduce, affected URLs or endpoints, and any proof-of-concept material.

What's in scope:

  • The Threatcl Cloud web application at threatcl.com and its subdomains
  • The Threatcl Cloud API

What's out of scope:

  • The open-source threatcl CLI and related repositories on GitHub — please report issues there via GitHub Security Advisories on the relevant repository
  • Third-party services we depend on (Google Cloud, Firebase, Stripe, GitHub) — please report directly to those providers
  • Denial-of-service attacks, volumetric or load testing, and any testing that degrades service for other users
  • Social engineering of Threatcl Cloud staff, customers, or contractors
  • Physical attacks against our offices or personnel
  • Findings from automated scanners without a demonstrated, exploitable impact
  • Reports of missing best-practice headers or cookie flags without a demonstrated impact
  • Self-XSS or issues that require an already-compromised account

What we ask of you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and disruption of the Service
  • Do not access, modify, or exfiltrate data that does not belong to you beyond what is necessary to demonstrate the vulnerability
  • Give us a reasonable opportunity to investigate and remediate the issue before public disclosure
  • Comply with all applicable laws

What you can expect from us:

  • We will acknowledge receipt of your report within three (3) business days
  • We will provide an initial triage and severity assessment within seven (7) business days
  • We will keep you informed of progress as we investigate and remediate
  • We are happy to credit you publicly once an issue is resolved, if you would like that

Safe harbor. Threatcl Cloud will not pursue or support legal action against security researchers who, in good faith, comply with this policy. We consider security research and vulnerability disclosure activities conducted consistent with this policy to be authorised access under the relevant laws (including, where applicable, the Australian Criminal Code Act 1995 and the United States Computer Fraud and Abuse Act). If a third party initiates legal action against you for activities that we determine to have been conducted in good faith and in accordance with this policy, we will make this authorisation known.

We do not currently operate a paid bug bounty program. Reports are appreciated and acknowledged, but no monetary reward is offered at this time.

Last updated: 8 April 2026