SECURITY

Security at Thabit

Thabit is built for the defense, aerospace, medical devices, nuclear, and other regulated industries sector. That means security is a first-order product concern, not a marketing bullet. This page describes the controls we have in place today, the controls on our near-term roadmap, and the posture we commit to maintaining.

LAST UPDATED · APRIL 17, 2026

Architecture Principles

  • Deterministic first, AI second. Every module renders a complete package with or without AI. No customer’s workflow depends on a network call succeeding.
  • Encoded doctrine, not chained prompts. The product ships with 230 KB of pre-written fallback narrative covering BAP, Shipley, MIL-STD-973, -810H, -461G, -882E, MIL-HDBK-217F, FAR 15.3, and DoD 5000. Your programs don’t stall waiting for a model.
  • Single-file as an option. For air-gapped customers, Thabit is distributable as a single HTML file. No build step, no outbound connectivity required at runtime. This is a Phase 4 offering.
  • No training on Customer Data. Thabit does not use Customer Data to train machine-learning models. Our agreements with foundation-model providers require the same.

Data Protection

Encryption

  • In transit: TLS 1.3 with modern cipher suites. HSTS enforced on all production domains.
  • At rest: AES-256 encryption of the application database, object storage, and backups. Managed keys through the cloud provider; customer-managed keys (BYOK) available on Enterprise tier.
  • In memory: Sensitive material (API keys, session tokens) held only in process memory, never logged.

Access Control

  • Role-based access control (RBAC) on every tenant-scoped resource with tenant isolation enforced at the database layer (row-level security).
  • Multi-factor authentication required for all administrative access.
  • Least-privilege IAM policies on cloud infrastructure; no broad wildcard permissions.
  • SSO via SAML 2.0 and OIDC on Enterprise tier; SCIM provisioning available.
  • Quarterly access reviews.

Secrets Management

Application secrets (API keys, service credentials, signing keys) are stored in the cloud provider’s managed secrets service with rotation on a defined schedule (quarterly for most; monthly for high-sensitivity). No secrets in source control, ever. Developer access to production secrets is audited and time-limited.

Network and Perimeter

  • Application behind a web application firewall (WAF) with OWASP Top 10 rule set.
  • Production database and internal services in private subnets with no direct internet exposure.
  • For GovCloud deployments (Phase 3): zero public internet egress from the data plane, allow-listed egress to Bedrock and payment APIs only.
  • DDoS protection via Cloudflare.
  • Rate limiting enforced at the edge and per-user at the application layer.

Monitoring and Incident Response

  • Structured application logs shipped to a central log aggregation platform with 1-year retention.
  • Cloud infrastructure logs (CloudTrail on AWS) retained separately in append-only storage.
  • Real-time error tracking with PII scrubbing (Sentry).
  • Alerting on anomalous access patterns, failed-login spikes, and service-level degradations.
  • Documented Incident Response Plan with a defined severity matrix, communication protocol, and 72-hour customer notification commitment for confirmed data-affecting incidents.
  • Tabletop incident exercises quarterly; full drill at least annually.

Software Development Lifecycle

  • Mandatory peer code review for every merge to the main branch.
  • Automated dependency vulnerability scanning on every pull request (GitHub Dependabot + Snyk).
  • Static analysis for security issues in CI (Semgrep / CodeQL).
  • Container and infrastructure-as-code scanning (Trivy, Checkov).
  • Secrets scanning on every commit and push (GitGuardian).
  • Release process with deploy approvals, automated rollback, and immutable artifact registry.

Business Continuity

  • RTO (Recovery Time Objective): 4 hours for Starter/Team, 1 hour for Enterprise.
  • RPO (Recovery Point Objective): 15 minutes for Starter/Team, 5 minutes for Enterprise.
  • Automated backups with point-in-time recovery over a 30-day window.
  • Cross-region backup replication on Enterprise tier.
  • Disaster recovery plan tested at least semi-annually.

People

  • Background checks for all personnel with production access.
  • Security awareness training at onboarding and annually thereafter.
  • Signed confidentiality obligations extending beyond employment.
  • Laptops managed with full-disk encryption, MDM-enforced screen lock, and automatic updates.

Compliance Roadmap

See the Trust Center for the detailed compliance-achievement roadmap including SOC 2 Type I/II, CMMC Level 2, FedRAMP 20x Moderate, and DoD IL-4/5 target dates.

Reporting an Issue

If you discover a security vulnerability, please report it through our Responsible Disclosure program. We commit to responding within 24 hours for critical issues and not to pursue legal action against researchers acting in good faith.

Additional Resources