Trust & Security at Threadline

Threadline is built for teams that care about customer experience — and customer trust.

Security, privacy, and transparency are foundational to how the platform is designed and operated.

Threadline is operated by Threadline CX LLC.

How We Handle Your Data

You control what data is analyzed in Threadline.

• Data is processed only to deliver the insights you request
• Customer data is isolated by organization
• We do not sell personal data — ever
• Analyses are anonymized when accounts are deleted

Threadline is designed to minimize data exposure while still delivering meaningful customer experience insights.

Security Practices (SOC-2–Aligned)

Threadline operates with security controls aligned to the SOC 2 Trust Services Criteria, including Security, Availability, and Confidentiality.

While Threadline is not currently SOC-2 certified, our internal practices are designed to meet those expectations.

Access & Authentication

• Role-based access controls (owner, admin, member)
• JWT-based authentication with secure session tokens
• Passwords stored using cryptographic hashing
• Session expiration and logout enforcement

Data Protection

• Encrypted data transmission using HTTPS/TLS
• Strict tenant-level data isolation
• Feedback Vault scoped per organization
• Aggregated benchmarks published only after anonymization thresholds are met

Administrative Safeguards

• Super-admin access restricted via email allowlist
• Dual-verification checks for elevated access
• Audit logging for sensitive administrative actions

Monitoring & Reliability

• Authentication and access activity logging
• Controlled beta access for new features
• Secure, managed cloud infrastructure

AI Transparency

Threadline uses AI to analyze customer feedback and generate insights.

• Only the minimum data required is shared with AI providers
• Customer data is not used to train public AI models
• AI outputs are analytical and advisory
• Threadline does not make automated decisions with legal or similarly significant effects on individuals

AI is used to explain patterns and surface insights — not to judge people.

Privacy & Compliance

Threadline aligns with modern privacy and data protection expectations:

• GDPR-aligned rights (access, export, deletion, consent withdrawal)
• CCPA-aligned handling for California residents
• Analytics tracking only with explicit user consent
• Clear data retention and anonymization practices

Detailed information is available in our:

• Privacy Policy
• Terms of Service
• Data Processing Addendum (DPA)

Incident Response

Threadline maintains a documented incident response process.

If a security incident occurs:

• Affected systems are contained and secured
• Scope and impact are assessed
• Remediation steps are applied
• Systems are restored and verified
• A post-incident review is conducted

Customers are notified without undue delay if their data is affected, in accordance with applicable laws.

Sub-Processors & Infrastructure

Threadline uses a limited number of trusted service providers to operate the platform.

Core Infrastructure

• Replit – application hosting and deployment
• Neon (PostgreSQL) – managed database hosting
• Stripe – billing and payment processing

AI & Analysis Providers

• OpenAI – text analysis
• Google (Gemini / Vertex AI) – text and image analysis
• Anthropic – text analysis
• RunPod – image generation (Stable Diffusion)

Analytics (Consent-Based)

• Google Analytics – usage analytics
• ipapi.co – approximate geolocation (city / region / country)

Sub-processors are used only as required to deliver the service and are subject to contractual safeguards.

Security FAQ

Are you SOC-2 certified?

No. Threadline is not currently SOC-2 certified.

We operate with controls aligned to SOC-2 principles and are designed to meet those expectations.

Is data encrypted?

• In transit: Yes (HTTPS/TLS)
• At rest: Managed by our cloud infrastructure providers using industry-standard controls

Is customer data isolated?

Yes. Data is strictly isolated by organization.

Do you sell or share personal data?

No.

Is customer data used to train AI models?

No.

What happens when an account is deleted?

Account data is deleted, analyses are anonymized, and aggregated benchmarks remain non-identifiable.

How do you handle security incidents?

We follow a documented incident response plan and notify customers if their data is affected.

Transparency & Contact

If you have security, privacy, or compliance questions, contact us anytime:

Threadline CX LLC
[email protected]