Learn about our data security practices and compliance measures.
At Threads, our primary security goal is making sure your data is only viewed and handled by the people you want to view and handle your data.
Threads is also SOC 2 Type II compliant, with audit reports available on request. We do not currently maintain any other compliance certifications. If you have additional compliance requirements, please reach out to [email protected] and we'd be happy to discuss how our security practices might fit your compliance framework of choice.
We don’t store any customer data on any devices or servers at any physical location we control. We host all infrastructure in Amazon Web Services (AWS). AWS is certified to a wide range of compliance and security standards, available for review here. In addition to AWS, we rely on a variety of third party vendors to support our efforts in providing Threads to customers. We review these vendors prior to using them, and limit their access to the data of and about Threads customers wherever possible.
We encrypt all customer data at rest to AES-256 or better. All data in transit outside of our network boundaries is TLS 1.2 or better. Backups (we make them and test them) are also encrypted and stored separately from production. Our recovery time objective (RTO) is 24 hours, but it’s likely we’d be able to get to at least partial functionality much more quickly. Similarly, our recovery point objective (RPO) is 24 hours, but most services have streaming backups and would have a lower RPO.
Threads employees may not access data about or in your account unless it's part of their job. For example, our platform engineers may need to review information about your usage in the course of debugging an infrastructure issue, or our support team might require access to your account metadata in order to resolve a ticket.
Except in extremely rare cases (involving legal or regulatory requirements) the actual contents of your threads and chats are never available to any Threads employee unless you have given us express permission to view that data. This level of access is temporary and scoped to a specific request for support, with enhanced logging and alerting on all actions taking.
We do not currently run a bug bounty program, and we do not plan to run one in the near future.
That said, if you'd like to poke around, have at it! If you happen to find a security issue, please submit it to us at [email protected]. We'll do our best to quickly triage, review, and provide compensation if warranted.