Thermocline Cloud
Log InGet Started

Security

Last updated: February 2026

Security is foundational to Thermocline Cloud. We implement multiple layers of protection to safeguard your data, infrastructure, and accounts. This page outlines our security practices and commitments.

Compliance

Thermocline Cloud is actively pursuing SOC 2 Type II certification. Our compliance program is designed to meet the trust service criteria for security, availability, processing integrity, confidentiality, and privacy. We expect to complete our initial SOC 2 Type II audit in 2026.

We maintain detailed records of our security controls, policies, and procedures. Prospective Enterprise customers may request a copy of our security questionnaire or schedule a security review by contacting security@thermoclinecloud.com.

Encryption

All data at rest is encrypted using AES-256, the industry standard for symmetric encryption. This applies to all storage tiers, including hot and cold storage, database backups, and audit logs.

All data in transit is encrypted using TLS 1.3. Connections to the Thermocline Cloud API, console, and database clusters are secured with TLS 1.3 by default. We do not support older TLS versions. Certificate pinning is available for Enterprise customers upon request.

Network Isolation

Each customer's database clusters run in isolated network environments. Clusters are deployed in dedicated virtual private clouds (VPCs) with strict network segmentation. No cross-customer network traffic is possible.

VPC peering is available for Business and Enterprise plans, allowing you to establish private network connections between your infrastructure and Thermocline Cloud clusters. This eliminates the need for data to traverse the public internet. Contact your account manager or sales@thermoclinecloud.com to configure VPC peering.

Access Control

Thermocline Cloud implements role-based access control (RBAC) across all platform features. Organization owners can assign roles including Owner, Admin, Developer, and Viewer, each with granular permissions covering cluster management, data access, billing, and team administration.

All authentication uses secure JWT-based session management with multi-factor authentication (MFA) support, and single sign-on (SSO) via SAML 2.0 and OpenID Connect for Enterprise customers.

API Key Management

API keys are generated using cryptographically secure random values and are hashed before storage. Thermocline never stores plaintext API keys. Keys are displayed once at creation time and cannot be retrieved afterward.

Granular permissions can be assigned to each API key, including read-only, read-write, and admin scopes. Keys can be restricted to specific clusters or databases. API key activity is logged and auditable. Keys can be rotated or revoked at any time through the console or API.

Audit Logging

Thermocline Cloud maintains comprehensive audit logs of all administrative actions, including user authentication events, cluster creation and configuration changes, API key management operations, permission and role changes, billing and plan modifications, and data export requests.

Audit logs are retained for 90 days on all paid plans and up to 1 year on Enterprise plans. Logs can be exported in JSON format for integration with your SIEM or compliance tools.

Security Assessments

Thermocline conducts regular security assessments including automated vulnerability scanning on a continuous basis, third-party penetration testing at least annually, code security reviews as part of our development lifecycle, and infrastructure configuration audits quarterly.

We use a combination of automated tooling and manual review to identify and remediate security issues. Critical vulnerabilities are prioritized and patched within 24 hours of identification.

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in Thermocline Cloud, please report it to security@thermoclinecloud.com. Include a detailed description of the vulnerability, steps to reproduce the issue, and any relevant proof-of-concept code or screenshots.

We ask that you give us reasonable time to investigate and address the issue before making any public disclosure. We will acknowledge receipt of your report within 2 business days and provide an initial assessment within 5 business days. We do not pursue legal action against researchers who follow responsible disclosure practices.

Contact

For security questions, vulnerability reports, or to request a security review, contact us at security@thermoclinecloud.com.

We use cookies to improve your experience and analyze site usage. Read our Privacy Policy for more information.