Security · Source access
Request source-code access
Thoma is source-available. Read-only repository access for security audit, internal patching, and SAST / SCA / DAST tooling is gated by a light-touch mutual NDA — signable online in a few minutes.
Sign electronically
Fill out the form below, sign the pre-filled NDA in DocuSign, and read-only repo access lands in your inbox. Most requests turn around within 1 business day.
Manual NDA review
If your legal team needs to review the NDA language before signing — fine. Pick this path on the form and we’ll email a Word / PDF copy you can mark up. Turnaround depends on your legal cycle.
What you get
- ✓Read-only Git access to the full Thoma repository (or a signed download URL if your environment can’t use SSH out)
- ✓Permission to run static analysis, SCA, SAST, and DAST tools against the codebase
- ✓Permission to patch internally for your own install
- ✓Build instructions and reproducible-build scripts so your audit can verify what we ship matches what we publish
What the NDA covers
Light, mutual, ~2 pages. Confidentiality of source + architecture docs; permitted use (audit, internal patching, security tooling); prohibited use (redistribution, derivative works for competing products, public posting of code excerpts); standard carve-outs (independently developed material, publicly known information); duration covers the trial / paid relationship plus 24 months post-termination.
Deliberately not in the NDA: IP assignment (this isn’t consulting), non-compete or non-solicit (would be inappropriate for a security-audit gate), data-handling clauses (separate concern; lives in the regular customer agreement).
The full text is what your legal team reviews on the manual path, and what loads into DocuSign on the electronic path. If you want to read the language before submitting, email us and we’ll send the template.