Trust Center
Thread AI builds Lemma to meet the security and regulatory bar that enterprise and public-sector
customers expect. Our trust program is detailed below and continuously monitored.
Security at Thread AI
Built to handle customer data and AI agents securely.
Identity-Aware Access Control
Lemma connects execution to identity-aware policies, enabling control over who can run workflows, which resources they can access, and what actions they can perform. Each workflow and agent action stays governed by the same authorization model used across users, services, tools, and data.
Customer Data Segmentation
Customer data is isolated by tenant so each organization’s workflows, context, and sensitive data remain scoped to that tenant boundary.
Envelope Encryption
Sensitive data is protected with envelope encryption. Each operation uses an AES-256-GCM data key (DEK), which is wrapped by a per-tenant key. Tenant keys are wrapped by a root key held in cloud KMS, which never leaves the KMS boundary.
Hardened Application Security
Lemma secures browser rendering and session management with controls validated through a Google web application penetration test. User-controlled content is encoded before it is rendered in the browser, and sessions are governed through server-side timeouts plus token invalidation on logout or inactivity.
Compliance Programs
Certifications, regulatory frameworks, and assurance programs our controls support.
SOC 2 Type 2
SOC 2 Type 2
Independently audited against the AICPA Trust Services Criteria for security, availability, and confidentiality. Reports available under NDA.
GDPR
GDPR
Controls and data handling practices align with the EU General Data Protection Regulation, including data subject rights, lawful processing, and cross-border transfer safeguards.
HIPAA
HIPAA
Safeguards align with the HIPAA Security and Privacy Rules for handling Protected Health Information (PHI), including administrative, physical, and technical controls.
CJIS
CJIS
Controls align with the FBI Criminal Justice Information Services (CJIS) Security Policy for handling sensitive criminal justice information.
CMMC 2.0 Level 2
In Progress
CMMC 2.0 Level 2
Working toward Cybersecurity Maturity Model Certification 2.0 Level 2 to support engagements with the U.S. Department of Defense and its supply chain.
FedRAMP
In Progress
FedRAMP
Working toward FedRAMP authorization to support deployments with U.S. federal agencies and their contractors.
Security Controls
Controls across application, data, infrastructure, network, organization, and product security.
App Security
Code Review Process
Employee Disclosure Process
Responsible Disclosure (Bug Bounty)
Software Development Lifecycle
Web Application Firewall
Data Security
Daily Database Backups
Encryption at Rest
Encryption in Transit
Security Policy
System Access Control Policy
Infrastructure Security
Multiple Availability Zones
Password Policy
Require Encryption of Web-Based Admin Access
Restricted Public Access
Security Patches Automatically Applied
Network Security
Access to Remote Server Administration Ports Restricted
Logging/Monitoring
Malware Detection Software
Network Security Controls
Unique Accounts Used
Organization Security
Acceptable Use Policy
Code of Conduct
Disaster Recovery Plan
Incident Response Plan
Incident Response Team
Security Training
Product Security
Databases Monitored & Alarmed
Hard-Disk Encryption
Messaging Queues Monitored & Alarmed
Multi-Factor Authentication
NoSQL Database Monitored & Alarmed
Servers Monitored & Alarmed
Session Lock
Terms of Service
Need our compliance reports or DPA?
Reach out to request our SOC 2 Type 2 report, Data Processing Addendum, security questionnaire responses, or additional documentation. Reports are shared under NDA.
