Legal
Security
Security is not a feature we add at the end. It is part of how our systems are built. This page describes how we protect your data and how to report a vulnerability.
Our approach
We put alignment and safety in the architecture rather than hoping for good behavior at runtime. The same principle governs how we handle your data: sensible defaults, clear boundaries, and failures that surface where they can be caught and corrected. The practices below describe how that principle is applied in practice.
Data protection
Data is encrypted in transit using current TLS standards and encrypted at rest. We minimize the data we collect and retain, and we separate the durable record of work from transient state so that what matters is protected and what does not is cleared.
Engagement isolation
Every engagement is isolated. Your data, your deliverables, and the records of the work are kept within your engagement’s boundary, and one engagement is never reachable from another. Where work runs in a dedicated environment, that environment is provisioned for your engagement and is not shared across customers.
Infrastructure
Our services run on established cloud infrastructure with managed, regularly patched platform services. We use least-privilege roles for the components that make up the Services, and we prefer managed primitives over hand-operated systems to reduce the surface we have to secure.
Data handling and retention
We retain your data only as long as needed to provide the Services and meet our legal obligations. At the end of an engagement, your data is deleted and you receive confirmation, except where you have asked us to retain a record, which stays inside your engagement’s boundary and nowhere else. Our full data practices are described in our Privacy Policy.
Accountability
Our systems are built to account for their own work. Where a deliverable is produced, the reasoning behind it can be traced and reviewed, and a failure can be investigated back to the step that produced it. Accountability is a security property: it means problems can be found and fixed rather than hidden.
Access control
Access to systems and customer data is limited to the personnel who need it, protected by strong authentication, and granted on a least-privilege basis. We review access and remove it when it is no longer required.
Reporting a vulnerability
We welcome reports from security researchers. If you believe you have found a vulnerability in our Site or Services, please email hello@thought-pattern.com with the subject line “Security” and enough detail for us to reproduce the issue. Please give us a reasonable opportunity to investigate and remediate before public disclosure.
We will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service disruption, and do not access or modify data beyond what is needed to demonstrate a vulnerability. We aim to acknowledge reports promptly and to keep you informed as we work toward a fix.
Contact us
For any security question, reach us at hello@thought-pattern.com.