security · scoped & auditable

Scoped tightly.Auditable always.

Thynk is an agent operating real systems. That puts the burden on us to make every action observable, reversible where possible, and scoped to exactly what you connected. This page is the inventory of how.

TLS 1.2+ in transitAES-256 at restSOC 2 Type II · in progress

Scoped execution

The orchestrator acts only within the scopes you grant each connection at install time — it can never reach a tool or a store you didn't authorize. Nothing runs off to the side.

  • Each connection runs under its own OAuth scopes. You see the requested scopes at connect time and can revoke any connection at any moment.
  • When the agent needs a value it can't derive — a recipient, a quantity, which of two close matches — it asks you in an inline form before it builds or sends. It never guesses on your behalf.
  • Every action — which run, which tool, which store, when — is recorded in the audit trail.
  • Disconnect a tool or pause the agent at any time; in-flight work stops at the next step.

Credentials

Connecting a third-party tool (Klaviyo, Meta, Gorgias, …) means handing Thynk an OAuth token or API key. We treat these as the most sensitive material we hold.

  • Stored encrypted at rest with envelope encryption — the data encryption key never leaves Cloud KMS in plaintext.
  • Scoped to the minimum the skill pack needs. You see the requested scopes at connect time and can revoke at any time.
  • Decrypted only in-memory at the moment of the MCP call. Never written to logs.
  • Rotated automatically when the upstream provider supports rotation; otherwise we surface re-auth prompts on token expiry.

Tenant isolation

Multi-tenancy is built on row-level scoping with the store ID derived from the authenticated Shopify session — never from a client-supplied value.

  • Memory keys are namespaced memory[store_id][skill_pack_id][key].
  • Specialist agents see only their own pack's memory; cross-pack reads go through a read-only shared layer with an explicit requires declaration.
  • Audit logs are partitioned by store, never queried across tenants.
  • Database queries that take a store_id validate it against the session in middleware; no playbook handler can override this.

Data in transit & at rest

in transit
TLS 1.2+ on all public endpoints. HSTS enabled. Webhook payloads validated by HMAC signature before any handler runs.
at rest
AES-256 on managed Postgres and Cloud Storage. Encrypted backups in a separate region.
in memory
Operational payloads (orders, customers) are cached only for the duration of the run that needs them. No long-lived buffer of raw store data.
PII handling
Customer names, emails, phones, and addresses are fetched on demand and never written to logs in plaintext.

Audit trail

Every action the orchestrator takes is logged with merchant ID, skill pack ID, playbook ID, MCP call, payload hash, outcome, and timestamp. Audit logs live in a separate store from operational memory, with append-only semantics.

  • Visible to merchants in Activity; downloadable as a JSON export from Settings → Data.
  • Retained for 12 months. Custom retention for Scale plans.
  • Every tool call, kill-switch toggle, and connection change is a first-class entry — not buried in app logs.

LLM trust boundary

User-generated content from connected tools — Gorgias ticket bodies, product descriptions, customer emails — is treated as untrusted input to the model.

  • LLM output is never executed as code, shell, or SQL.
  • Tool-call arguments produced by the model are validated against the skill pack's typed schema before dispatch.
  • System prompts and tool catalogs are versioned and reviewable.
  • We do not train external models on your data. Inference runs under Anthropic's and OpenAI's zero / short-retention enterprise terms.

Access control

Authentication uses the standard Shopify embedded-app session token. There are no separate Thynk passwords to compromise.

  • Staff permissions follow the merchant's Shopify staff roles.
  • SAML SSO available on Scale plans for centralized identity management.
  • Internal access to production data is limited to a small on-call rotation, logged per access, and requires multi-party approval for read of merchant payloads.
  • All developer laptops use full-disk encryption, hardware MFA keys, and managed device enrollment.

Sub-processors

The current sub-processor list (also in the Privacy Policy):

  • Google Cloud Platform — hosting, Postgres, KMS, log storage.
  • Anthropic & OpenAI — LLM inference under enterprise terms.
  • Composio — orchestration layer for non-native MCP connectors.
  • Shopify — billing, embedded app session, the merchant data we orchestrate.

We notify install contacts at least 30 days before adding a material sub-processor.

Responsible disclosure

found something? tell us first.

Email security@thynk.app with reproduction steps. We acknowledge within 24 hours, validate within 5 business days, and aim to patch critical issues within 30 days. We don't run a paid bounty yet, but we credit valid reporters publicly (with permission) and pay a modest honorarium for high-severity findings.

Please give us a chance to fix before public disclosure. Do not test against production stores you don't own; spin up a dev store for proof-of-concept.