Trust
Security
Effective May 5, 2026
throuhandles OAuth tokens and personal data. This page summarizes the practices in place today and what we're honest about not having yet.
Encryption
- In transit. All traffic between your browser, our application, and our sub-processors is encrypted with TLS 1.2+.
- At rest. The application database (managed PostgreSQL) and our hosting providers encrypt data at rest using industry-standard algorithms.
Authentication
Authentication is handled by Clerk. We do not store your password. Clerk supports multi-factor authentication (MFA), passkeys/WebAuthn, and session revocation. We recommend enabling MFA on your account.
OAuth and connected services
- OAuth scopes are scoped to what each agent needs and what you grant during the connect flow.
- OAuth tokens are stored by Composio, our integration broker, and not surfaced in client-side code.
- You can revoke access at any time from Connections or directly at the third-party provider (e.g., your Google Account security settings).
Tenant isolation
Every database row is scoped to a user. Application code enforces ownership on every read and write. Cross-account access is not possible by design.
LLM providers
Chat content and agent prompts are sent to large language model providers (currently Anthropic and OpenAI) for inference. We do not use your private content to train third-party models. See our Privacy Policy for the full sub-processor list.
Data retention and deletion
Account data, chat history, and agent run logs are retained while your account is active. Deleting your account triggers deletion or anonymization of associated data within 30 days, except where retention is required by law.
What we do not yet have
We believe in being upfront about the limits of our compliance posture today:
- No SOC 2, ISO 27001, or HIPAA attestation.
- No formal incident-response or business-continuity certification.
- No DPA template available yet for enterprise procurement.
If your use case requires any of the above, contact us at security@throu.ai and we will share our roadmap.
Reporting a vulnerability
If you believe you've found a security issue, please email security@throu.ai with steps to reproduce. We aim to acknowledge reports within 72 hours. Do not publicly disclose the issue until we've had a reasonable opportunity to address it.
We don't currently run a paid bug bounty program, but credit is gladly given for responsibly disclosed issues.