Security —
Your knowledge is protected by multiple layers of defense.
Protection Layer (3 stages)
- Stage 1: 20+ regex patterns detect common secrets (AWS, GitHub, Stripe, OpenAI, JWT, private keys, and more).
- Stage 2: Shannon entropy detection catches unknown key formats and high-randomness strings.
- Stage 3: AI classification fallback (GPT-5-mini) for ambiguous content.
- Custom rules per project allow admins to define additional patterns and policies.
Detection Examples
Before and after the Protection Layer:
Input
My API key is sk-proj-abc123def456...
After
My API key is [MASKED:openai_key]
Input
DB connection: postgres://admin:s3cret@db.example.com/prod
After
DB connection: [MASKED:connection_string]
Input
token=aF3kR9mN2xP7qW4sD8jL1bV6yT0uE5hZ
After
token=[MASKED:high_entropy_secret]
What passes safely
UUIDs: 550e8400-e29b-41d4-a716-446655440000
URLs: https://docs.example.com/api
Hashes: abc123def456 (< 16 chars)
Encryption
- At rest: AES-256 (Supabase / PostgreSQL).
- In transit: TLS 1.3.
- API keys: SHA-256 hashed before storage.
Access Control
- Row Level Security (RLS) per user and project at the database level.
- Scope-based visibility: personal, project, and global.
- Admin-only project security rule management.
Data Policy
- We do not use your data to train AI models.
- You own your data. Export or delete anytime.
- Sub-processors: Supabase, Vercel, OpenAI, Stripe, Upstash, PostHog, Sentry, Resend.
AI Data Handling
workthin uses the OpenAI API for structuring, tagging, and embedding.
“OpenAI does not train on data sent via the API by default.”
Your data | OpenAI Platform
Compliance
- GDPR-ready data deletion.
- Responsible disclosure: security@workthin.app. We aim to acknowledge reports within 48 hours.