How we protect your data

Last updated July 17^th, 2025

1. API security (core to the platform)

Our API is at the heart of the platform, and we treat it like mission-critical infrastructure. All access to the API is authenticated using token-based authentication via Laravel Sanctum. Tokens are scoped, revocable, and securely tied to the correct user or integration, ensuring tight access control.

We apply rate limiting and throttling to all API endpoints to prevent abuse, ensure fair usage, and maintain stable performance across the platform. All API activity is logged and monitored, with alerts in place to detect unusual behaviour or suspicious access patterns.

TL;DR

• API access is secured with scoped, revocable tokens via Laravel Sanctum
• Rate limiting protects system stability and prevents abuse
• API activity is monitored in real time with automated alerts

Access & user security

All user accounts are protected with two-factor authentication (2FA) to add an extra layer of protection beyond passwords. We use role-based access control (RBAC) to ensure users only have access to the tools and data they need – and nothing more.

Key admin areas and sensitive routes are protected with additional middleware to block unauthorised access.

TL;DR

• 2FA enabled for all user accounts
• Role-based permissions limit access by user type
• Sensitive routes are access-controlled

Data protection

We take a layered approach to safeguarding your data. All information is encrypted in transit using HTTPS, and sensitive fields like API keys are encrypted before they’re stored. Passwords are never stored in plain text – they’re hashed using bcrypt, a secure one-way algorithm.

We also lock down cookies and sessions with secure, HTTP-only, and same-site flags, helping protect your account against cross-site attacks and session hijacking.

TL;DR

• HTTPS encrypts all data in transit
• Sensitive fields encrypted before storage
• Passwords are hashed with bcrypt
• Cookies and sessions follow strict security flags

Infrastructure security

Our infrastructure is configured to prevent unauthorised access at every level. Our database isn’t exposed to the public internet – it’s only accessible via a secure SSH tunnel. We also restrict SSH access to key-based authentication only, meaning password-based logins are disabled by default.

Deployments are built using production-only configurations, with development tools and debug features stripped out to reduce risk and attack surface.

TL;DR

• Database is never publicly accessible
• SSH access uses keys only – no passwords
• Production deployments are optimised for security

Monitoring & protection

We keep a close eye on what’s happening inside the system. All login activity is logged and reviewed, and we monitor for anomalies that could signal a breach or misuse. Rate limiting is applied to login routes and APIs to slow down brute-force attempts or automated attacks.

Logs are securely stored and rotated regularly to ensure long-term system integrity without bloating or risk.

TL;DR

• Login and system activity is logged and reviewed
• Rate limiting applied to login routes
• Logs are stored securely and rotated automatically

Our ongoing commitment

Security isn’t a one-off task – it’s an ongoing responsibility. We regularly review and update our processes, patch dependencies, and adjust our controls based on new threats or platform changes.

While no system can be completely immune to risk, we’re committed to doing everything we can to protect your data, your workflows, and your trust.

If you have any questions about how we protect your data – or if your business has specific security requirements – feel free to contact us at hello@thistl.io.