Security
Last updated July 2, 2026
Theo handles sensitive operational knowledge, so security isn't an afterthought — it's built into how the platform is architected. Here's what's actually in place today.
Data isolation
Every organization's data is isolated at the database level using row-level security policies, and all API routes verify that a request's data belongs to the caller's organization before returning or modifying it. No user can access another organization's skills, interviews, sources, or queries.
Encryption
OAuth access tokens and refresh tokens for connected sources (Google, Slack, Notion) are encrypted at rest using AES-256-GCM before being stored. All traffic to and from Theo is encrypted in transit via TLS.
Authentication
Sign-in supports email/password, magic links, and Google SSO via Supabase Auth. Session tokens are short-lived and refreshed automatically. Sensitive actions — such as removing a team member, deleting a source, or clearing data — require organization admin privileges.
AI processing
Content is sent to Anthropic (for extraction and answering) and OpenAI (for embeddings) only for the purpose of generating your organization's answers and skill cards. We do not use your data to train models. See our Privacy Policy for details.
Infrastructure
Theo is hosted on Vercel with Supabase (PostgreSQL) as the data layer. Both providers maintain their own independent security and compliance programs.
Responsible disclosure
If you believe you've found a security vulnerability in Theo, please report it to security@meettheo.ai. We ask that you give us reasonable time to investigate and address the issue before public disclosure, and we won't pursue legal action against good-faith reports.
Roadmap
Theo is in early access. Features we're actively building toward for larger deployments include an audit log, SAML/SSO for enterprise identity providers, and permission-aware retrieval that respects source-level access controls. If any of these are a requirement for your organization, reach out — we'd like to hear about it.