Trust & security
Thout.AI is built from the ground up to securely handle your most sensitive meeting data, integration credentials, and service connections.
Our team's security expertise
Our engineering team has deep experience building and operating cloud-native products on Google Cloud Platform and AWS that handle mission-critical business data. We apply enterprise-grade security practices at every layer — from network architecture to application code.
How Thout.AI protects your data
Infrastructure & network security
All services run on Google Cloud Run — isolated, fully managed compute with built-in DDoS protection, TLS termination, and request throttling.
Data is encrypted at rest (AES-256) and in transit (TLS 1.2+) across all storage and communication layers.
Production runs within a dedicated VPC with private subnets, strict firewall rules, Cloud NAT, and Private Google Access — databases have zero public internet exposure.
Database connections use Private Service Connect (PSC) endpoints — data never traverses the public internet.
Administrative access requires Identity-Aware Proxy (IAP) — no SSH keys or public IPs.
Isolation & access control
Every service runs in its own isolated container with a dedicated service account following least privilege. Meeting bots operate in fully sandboxed environments.
Production and staging are fully separated — distinct GCP projects, VPCs, and service accounts.
CI/CD pipelines use Workload Identity Federation with short-lived OIDC tokens — no long-lived credentials in CI systems.
Authentication & credentials
JWT-based authentication with short-lived access tokens (60-min) and secure refresh token rotation (30-day).
OAuth 2.0 with Google and Microsoft for SSO — we never store your OAuth passwords.
bcrypt password hashing with salting.
Integration credentials (Jira, Slack, Gmail) are encrypted with Fernet symmetric encryption.
All secrets managed through Google Cloud Secret Manager. Service-to-service auth uses OIDC tokens — no long-lived keys.
Your data stays yours
We never sell your data and it is never used to train third-party AI models.
Customer data is only shared with sub-processors as strictly necessary to deliver our service.
Meeting data is only accessed by the Thout.AI team with your permission, revocable anytime from settings.
Audio and video files are stored in user-isolated directories with time-limited signed URLs — never publicly accessible.
Sub-processors
We keep both the sub-processors we use and the data we send to them to an absolute minimum.
Sub-processor
Sub-processor
Google Cloud Platform
Infrastructure, compute, storage, and secret management
MongoDB Atlas
Primary database (connected via Private Service Connect — no public internet)
OpenAI
AI model provider for meeting insights and chat
Pyannote
Audio processing: Audio Diarization
Groq
LLM Inference provider used for insight generation and audio processing
Neo4J
Graph Database used for advanced extraction of insights and addressing queries
Pinecone
Vector database for semantic search
Redis (Cloud Memorystore)
Caching layer (fully VPC-isolated)
Compliance
Standard
Status
SOC 2 Type I
In progress
Data residency
All Thout.AI infrastructure is hosted in Google Cloud within Google's highly secure and compliant data centers. Google Cloud maintains certifications including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP.
Vulnerability disclosure
If you have found a vulnerability in our software, we encourage you to report it so we can work with you to resolve the issue.
Disclosure policy:
We will make a reasonable effort to fix the vulnerability promptly after notification.
Please do not disclose to third parties until we have had reasonable time to fix the issue.
Only use accounts you own or have explicit permission to use.
Make a good faith effort to avoid privacy violations, degradation of service, or data loss.
Report bugs to security@thout.ai. Bug bounties may be available at our discretion.
Exclusions: DoS attacks, spamming, social engineering of Thout.AI employees/clients/users, and physical attacks.
Deleting your account & data
You can permanently delete your account and all associated data at any time through account settings. We perform a cascading hard delete — removing your profile, meetings, transcripts, audio/video files, integration credentials, and all associated data. This action cannot be undone.
