Trust
Security at Theora
We treat the security of customer data as foundational. This page summarises the controls and practices that protect the Service.
Last updated: 29 May 2026
Encryption
- All data is encrypted in transit using TLS.
- Data at rest is encrypted using industry-standard algorithms managed by our cloud provider.
Access control
- Access to production systems follows the principle of least privilege.
- Multi-factor authentication (MFA) is required for administrative access.
- Access is reviewed periodically and revoked promptly on role change or departure.
Infrastructure
- The Service runs on a major cloud provider with managed, regularly patched infrastructure.
- Production environments are isolated from development and testing environments.
- Backups are performed and recovery is tested periodically.
Compliance
Theora is actively pursuing SOC 2 and maintains a documented information security program covering access management, change management, incident response, and vendor risk. Documentation is available to customers under NDA on request.
Vulnerability disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@theorahq.com with details and steps to reproduce. We will acknowledge your report and work with you on a resolution. Please do not publicly disclose an issue until we have had a reasonable opportunity to address it.
Bug Bounty
We do not currently operate a paid Bug Bounty program. We do, however, value and recognise responsible disclosures made through the vulnerability disclosure channel above, and we will credit researchers who report valid issues. As our security program matures we plan to formalise a Bug Bounty program.
Reporting a concern
Security questions or concerns can be sent to security@theorahq.com.