Trust & Security
How we protect your data
ThinkingPatterns is a security product built for security-conscious teams. Here's how we handle your data.
Architecture overview
ThinkingPatterns receives security finding metadata via SARIF ingestion — never your source code. Data flows in one direction: from your scanners to our platform. We normalize, deduplicate, and store finding metadata (rule IDs, file paths, line numbers, severity, remediation text).
What we store
We store finding metadata, project configurations, user accounts, triage decisions, and audit logs. We do NOT store source code, repository contents, or build artifacts. File paths and line numbers are used to identify finding locations — the actual code stays in your repositories.
Authentication & access control
Authentication is handled via Supabase Auth with support for email/password and OAuth providers. All API access is authenticated via scoped API keys with role-based permissions (admin, member, viewer). Row-level security policies in PostgreSQL enforce organization-level data isolation.
Audit trail
Every triage decision, finding state change, and administrative action is logged in an immutable audit trail. Each log entry records the actor, action, resource, and timestamp. Audit logs are accessible to organization admins and are retained for the lifetime of the organization.
Infrastructure
The application is hosted on Vercel with automatic TLS termination. The database is hosted on Supabase (AWS) with encryption at rest (AES-256) and in transit (TLS 1.2+). Backups are performed daily with point-in-time recovery capability.
Your code stays on your machines
All agentic coding — scanning, analysis, and remediation — runs entirely on your own coding agents (Claude Code, Cursor, Windsurf, Codex, etc.) in your local environment. ThinkingPatterns never executes code on your behalf. Your source code never leaves your machines. We only receive the structured finding metadata that your agents send to our API.
Responsible disclosure
If you discover a security vulnerability in ThinkingPatterns, please report it to security@thinkingpatterns.ai. We will acknowledge receipt within 48 hours and work with you to understand and address the issue. We do not pursue legal action against researchers acting in good faith.
Questions about security?
Contact us at security@thinkingpatterns.ai for security inquiries, or view our architecture documentation for technical details.