Trust / Security
Security
Thistle is built with practical security controls appropriate for sensitive legal information: encrypted access, tenant-separated data, authenticated accounts, and role-based permissions — designed around the confidentiality expectations of legal work.
Hosting & infrastructure
Thistle runs on AWS-hosted infrastructure, with NGINX reverse proxying and PM2-managed application processes in front of tenant-separated SQLite databases and S3-backed document storage.
Encrypted access
All access to Thistle runs over encrypted HTTPS, with TLS certificates issued through Let's Encrypt. Traffic between the browser and the application is encrypted in transit.
Authenticated accounts
Access requires an account. Each user signs in with their own credentials and works within an authenticated session. Sensitive credentials are kept server-side and are never exposed to the browser.
Roles & permissions
Role-based access controls keep admin, staff, and client roles distinct. What a person can see and do depends on the role they hold in the firm.
Tenant isolation
Each firm's data is isolated by tenant, with separate tenant databases and tenant-specific document storage paths. One firm's information does not share a store with another's.
Client portal separation
Client portal access is separated from staff access, so clients see only the information intended for them. Internal materials are never part of the portal view.
Staff-only areas
Internal notes, administrative information, and private case details stay internal to the firm's staff.
Documents
Documents move through protected upload workflows and are held in S3-backed storage on tenant-specific paths, reached through the same access controls that govern the case.
Backups & snapshots
Firm data is backed up with regular backups and snapshots, so information can be recovered and is not lost to a single point of failure.
Administrative access
Server access is controlled and administrative access is restricted, so the people who can reach the underlying systems are limited.
Data export
Firms can retrieve their information. Your data remains yours, and you can take it with you.
Payments
Where card payments are enabled, they are handled through a dedicated payment processor rather than stored by Thistle directly.
We take client information seriously and are continuing to mature our security posture — including better auditability, credential management, and formal policy documentation as the product grows. Thistle was built for law firms and is designed around the confidentiality expectations of legal work. Questions about data handling for your firm are welcome before you request access.
Have a question about client data?
Ask before you commit. We would rather have the conversation early.
Get Started