Contact Log in

Security Overview

Security is central to everything we do. We’re trusted by some of the largest brands in the world to deliver an excellent customer service experience while guarding PII and other sensitive information.


We are SOC 2 Type 2 certified by an accredited auditing firm. As part of SOC 2 we’ve designed robust controls and policies to address our business risks and have obtained audited confirmation of enforcement.

We hire external pentesting firms and remediate discovered issues, and we can provide reports from our most recent pentest upon request.

GDPR and CCPA Policies and Procedures

We follow GDPR and CCPA requirements and have a process in place to delete data and provide info upon request.

Upon receipt of a data-deletion request from a company on behalf of a user, Thankful will delete all data connected to that user ID. That user ID is forever recorded as a “blacklisted ID.”

If a database is restored from a backup, as a first step an engineer ensures any blacklisted ID from past deletion requests are again deleted from the restored backup.

If any data breaches are discovered, they will be patched as a highest priority. The disclosure of a breach will be clearly communicated to Team Managers in Thankful’s dashboard.


We work with the following companies and tool systems to store, analyze, and transmit data for our users. They have been carefully vetted for best-in-class security practices.

Account Security

We implement a number of account controls to give you and your team peace of mind. TOTP-based multi-factor authentication (works with Google Authenticator) is included for every Thankful account.

We provide team management tools which enable you to add and remove team members as well as enforce their password security and 2FA. We also provide security-focused audit logs for important changes to your account and to detect data exfiltration.

Personally Identifiable Information

Beyond the above account security efforts, we make numerous efforts to protect personally identifiable information (PII). Short data retention periods ensure we delete data as soon as we’re able. We anonymize data where possible, and we encrypt all data in-transit and at rest using strong TLS ciphers and AES-128 and AES-256.

High Availability

We focus on high availability and regularly exceed 99.99% uptime within Google Cloud tier 4 data centers, and Thankful’s historical status can be seen at

Coordinated Disclosure

If any vulnerabilities in Thankful’s infrastructure or application are found, please disclose these vulnerabilities in an email to We will ackowledge the issue within 24 hours, investigate, and put together a remediation plan with agreed upon dates in line with our Information Security Policy.

Ask Support