Trust  /  Security

Security

Thistle is built with practical security controls appropriate for sensitive legal information: encrypted access, tenant-separated data, authenticated accounts, and role-based permissions — designed around the confidentiality expectations of legal work.

Hosting & infrastructure

Thistle runs on AWS-hosted infrastructure, with NGINX reverse proxying and PM2-managed application processes in front of tenant-separated SQLite databases and S3-backed document storage.

Encrypted access

All access to Thistle runs over encrypted HTTPS, with TLS certificates issued through Let's Encrypt. Traffic between the browser and the application is encrypted in transit.

Authenticated accounts

Access requires an account. Each user signs in with their own credentials and works within an authenticated session. Sensitive credentials are kept server-side and are never exposed to the browser.

Roles & permissions

Role-based access controls keep admin, staff, and client roles distinct. What a person can see and do depends on the role they hold in the firm.

Tenant isolation

Each firm's data is isolated by tenant, with separate tenant databases and tenant-specific document storage paths. One firm's information does not share a store with another's.

Client portal separation

Client portal access is separated from staff access, so clients see only the information intended for them. Internal materials are never part of the portal view.

Staff-only areas

Internal notes, administrative information, and private case details stay internal to the firm's staff.

Documents

Documents move through protected upload workflows and are held in S3-backed storage on tenant-specific paths, reached through the same access controls that govern the case.

Backups & snapshots

Firm data is backed up with regular backups and snapshots, so information can be recovered and is not lost to a single point of failure.

Administrative access

Server access is controlled and administrative access is restricted, so the people who can reach the underlying systems are limited.

Data export

Firms can retrieve their information. Your data remains yours, and you can take it with you.

Payments

Where card payments are enabled, they are handled through a dedicated payment processor rather than stored by Thistle directly.

We take client information seriously and are continuing to mature our security posture — including better auditability, credential management, and formal policy documentation as the product grows. Thistle was built for law firms and is designed around the confidentiality expectations of legal work. Questions about data handling for your firm are welcome before you request access.

Have a question about client data?

Ask before you commit. We would rather have the conversation early.

Get Started