Security
Built to be audited.
Thoma is designed for shops whose IT teams have to defend a CMMC review or a 21 CFR Part 11 inspection. That means every security boundary is enforced server-side, every change writes an immutable audit row, and every customer can read the source code that does the enforcing.
Differentiator
You can read every line of our source code.
Thoma is shipped source-available, not closed-source. Pattern-wise this follows companies like Sentry, MongoDB, and Cal.com: customers can read every line of the codebase for security audit purposes โ including the auth code, the license-check code, the encryption-at-rest paths, and the multi-tenant isolation boundary.
For shops doing a CMMC vendor security assessment or a NIST 800-171 ยง3.12 review, this turns a multi-week exercise into a day. Your IT team doesn't have to take our word for the security claims on this page โ they can verify them in source.
What you can do: read, audit, patch for internal use, run security analysis tools against the codebase. What the license restricts: redistribution, modification for competing use, running without a paid license. IP protection comes from license terms, not from obfuscation.
The full license is published on the Terms of use page. Source access is gated by a light-touch mutual NDA — signable online in DocuSign in a few minutes, or your legal team can review the template first. Request source access →
Security feature inventory
Categorized for an IT-procurement reviewer. Each item is implemented today and verifiable in source. Long-form evidence with NIST 800-171 + CMMC L2 mappings lives in the Security & Compliance white paper.
Identity + authentication
Passwords hashed with PBKDF2-HMAC-SHA256 (FIPS-approved)
User passwords are stored as PBKDF2-HMAC-SHA256 hashes at 600,000 iterations (OWASP 2023 recommendation, FIPS 140-2/3 approved). Legacy bcrypt hashes from pre-2026-05-11 verify transparently and migrate to PBKDF2 on next login. Plaintext passwords never touch disk and are zeroed in memory after hashing. No password ever leaves your server.
MFA (TOTP) with encrypted secrets at rest
TOTP enrollment is available on every tier and required on Enterprise. Shared secrets are encrypted with AES-256-GCM before being written to the database โ even a stolen DB dump can't replay codes without the key.
Account lockout + last-code replay defense
Configurable lockout after N failed attempts. The most-recently-redeemed TOTP code is recorded so the same code can't be replayed inside its 30-second window.
Optional AD / SSO (Enterprise)
Enterprise customers can plug Thoma into Active Directory (LDAP bind), OIDC (Okta, Azure AD, Auth0, etc), or SAML 2.0 (any standards-compliant IdP) so users don't manage a separate set of credentials. Group-to-role mappings sync on every login.
Authorization
Role-based, server-enforced
Every write endpoint is gated by a permission check on the server side. Tampering with the frontend doesn't grant write access โ the JWT carries the role and the server verifies it on every request.
Per-category permission matrices
Document categories carry their own permission rules โ viewers, editors, approvers, status-transition rights all configurable per category. A user can be a Documents editor and a Changes viewer in the same install.
Status-transition checks
Releasing or rejecting a document is itself a permission. The check runs on /api/data POST against the OLD blob's category rules so a malicious payload can't grant itself the transition (21 CFR Part 11 ยง11.10(g) authority check).
Audit trail
Append-only audit log
Every read, write, status change, login, MFA event, and admin action writes a row to the audit log. Rows are never updated or deleted in normal operation.
Hash-chained for tamper detection (CMMC AU-9)
Each row's hash includes the previous row's hash, so changing or deleting a single row breaks the chain. An admin panel runs chain-integrity verification on demand, and a scheduler runs it nightly.
Filesystem mirror for defense-in-depth
The audit chain can be mirrored to an append-only directory outside the database. If an attacker compromises Postgres but not the host filesystem, the mirror still holds the truth.
Electronic-signature ceremony with locked records
21 CFR Part 11 ยง11.50 / ยง11.70 โ signed records carry the signer's identity, timestamp, and the meaning of the signature, written into a separate signature chain that is itself hash-linked.
SIEM-ready event stream (webhook + syslog + OCSF)
Auth events, chain-integrity alerts, AD-driven offboarding, and brute-force signals fan out to your SIEM via webhook (Splunk HEC / Datadog / custom JSON) and/or syslog UDP (CEF or RFC 5424). OCSF v1.3.0 webhook output for normalization-aware SIEMs (Splunk-OCSF, AWS Security Lake, Sentinel). Copy-paste detection-rule templates available โ see /security/siem-detection-rules.
Data at rest
Customer-controlled hardware
Thoma runs on your server. Database files, the document vault, and the audit log live on disks you control โ encrypt the disk with BitLocker / LUKS / your tool of choice and we're protected at rest by your usual storage policy.
Append-only file vault with versioning
Document binaries are written to a content-addressed vault. Edits create new versions; previous versions are retained. The vault is the single source of truth and never silently overwrites.
Encrypted secrets (TOTP, backup keys)
Sensitive at-rest values that aren't user-controlled โ TOTP secrets, backup encryption keys โ are themselves AES-256-GCM-encrypted at the application layer with keys held outside the DB.
Data in transit
TLS-only by default
The installer wires up TLS termination from day one. HTTP-only deployment is supported for air-gapped intranets where TLS is handled upstream, but the default is HTTPS with HSTS.
Strict CORS + security headers
CORS allowlist locked to your configured origin. Standard hardening headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) are set by the server.
No third-party data sharing
Customer data never leaves your server โ except the optional AI Assistant, which is per-org opt-in and disabled by default. See the AI Assistant carve-out below.
Deployment
Native Windows install on your hardware
Single installer, portable Postgres bundled, runs as a Windows service. No SaaS account, no cloud-vendor lock-in. Your data lives where you put it.
Air-gapped support (Professional and Enterprise)
Both Professional and Enterprise tiers ship with offline license activation (long-lived signed key, no mandatory heartbeat) so the install can run without internet โ required for many DoD contractors and restricted-internet manufacturing shops. You don't need to step up to the compliance tier just to run offline.
Pre-update backup automation
Updates take a snapshot of the database + vault before applying. Rollback is a one-command restore.
AI Assistant carve-out
The single exception to "no third-party data sharing"
Thoma's optional AI Assistant feature sends queries plus a recent-context snapshot to Anthropic's Claude API when a user asks it a question. This is the only place customer data leaves your server, and it is gated behind multiple safeguards:
- Off by default. Per-org admin must explicitly enable it via a privacy disclosure modal.
- Unavailable on Enterprise tier. CMMC Level 2 environments can't enable it at all โ third-party LLMs are incompatible with CUI handling restrictions.
- Anthropic's standard API terms apply โ no training on customer API data, no retention beyond request lifetime.
- Per-user + per-org quotas with a global vendor kill switch (`THOMA_AI_GLOBAL_DISABLE`).
- Every chat persists server-side in your per-organization chat history for admin review.
Full details: /ai-chat/.
Compliance posture
CMMC Level 2 ready (Enterprise)
The Enterprise tier ships with the controls a CMMC L2 assessment requires: MFA on all users, AD/SSO support, append-only audit log with chain integrity verification, air-gapped deployment support, and the AI-Assistant carve-out. SOC 2 Type II is on the launch roadmap.
21 CFR Part 11 fit
ยง11.10 controls (validated systems, audit trails, authority checks, electronic signatures): the audit-log + signature-ceremony + status-transition-permission stack maps cleanly. Most installs pass an inspection with the standard configuration.
NIST 800-171 mapping
Per-control mapping for the AC, AU, IA, SC, and SI families is included in the Security & Compliance white paper. Source- available means a vendor security assessment (3.12 family) can be done with the actual code in front of the reviewer.
Vulnerability response
Reports go to [email protected]. We commit to acknowledging within 2 business days and patching high-severity issues within 14 days. Customers get advance notice of the patch window via email.
Backup + recovery
Pre-update snapshots are automatic. Full DB + vault backup is one command. Restoration is one command. Backup encryption keys are managed by your IT team โ we never hold them.
Multi-tenant isolation
Self-hosted Thoma is single-tenant by definition (you run it on your server). The public demo and any future managed-hosting option enforce per-org boundaries at the API layer with server-side org-id checks on every request.
Reference
Security & Compliance white paper
The white paper is the long-form companion to this page: per-control NIST 800-171 mapping, threat model, key-management diagram, the full audit-chain verification algorithm, and the assessment-ready posture statement IT teams hand to their auditors.
The first draft is in active development and lands alongside our 1.0 launch. Pre-launch, request a copy by emailing [email protected] โ we share the working draft with serious prospects under NDA.
Ready to put it in front of your IT team?
Trial installations include the full security feature surface (excluding the Enterprise-only compliance package). IT can run their review on the actual install, against the actual source code, before anyone signs anything.