How ThetaZero protects your data
Straightforward practices. No jargon. Here's exactly what we do to keep your account and competitor research safe.
Authentication
JWT-based sessions signed with a secure secret. Passwords hashed with bcrypt. Session tokens expire after 7 days. No persistent server-side sessions.
Encryption in Transit
All traffic between your browser and our servers is encrypted with TLS 1.2+. No unencrypted connections accepted.
Encryption at Rest
Sensitive tokens (OAuth credentials if connected) are encrypted at rest with AES-256-GCM. We never store plaintext secrets.
Infrastructure
Hosted on Render (SOC 2 compliant). Database on Neon PostgreSQL with encryption at rest. Production environment isolated from development.
SQL Injection Prevention
All database queries use parameterized statements throughout the application. SQL injection through our API is not possible.
Access Controls
Team roles (owner/member) with permission boundaries. Rate limiting on all authentication endpoints prevents brute force attacks.
Reports are generated from publicly available web data. When you enter a company name or URL, that input is used only to run your analysis — not shared with other users or sold to third parties.
No competitor data is stored beyond what you explicitly save to your workspace. You can delete any saved report at any time from your workspace.
- Free plan: Report history retained for 7 days after generation
- Paid plans: Full report history retained for the lifetime of your subscription
- Account deletion: All personal data and saved reports deleted upon request — contact [email protected]
- Watchlists & alerts: Retained until you delete them or close your account
- Environment variables and secrets managed via secure vault — never committed to version control
- Database access restricted to application servers only — no direct public internet exposure
- Rate limiting on all authentication endpoints to prevent brute force and credential stuffing
- Regular dependency audits for known security vulnerabilities
Found a vulnerability?
We take security seriously and appreciate researchers who disclose responsibly. If you discover a security issue in ThetaZero, please report it privately before making it public.
Contact: [email protected] — subject line "Security Disclosure"
We'll acknowledge your report within 48 hours and work with you to address the issue. We don't take legal action against researchers who follow responsible disclosure practices.
When testing, please don't:
- Access, modify, or delete data belonging to other users
- Run denial-of-service attacks against our infrastructure
- Use automated scanners that generate significant traffic without prior notice
- Disclose vulnerabilities publicly before we've had time to address them