.svg)
Security at Thesmia
We take it seriously.
Our approach to security
At Thesmia, we understand that HR data is sensitive by nature. While we are an early-stage product, security and data protection are not an afterthought, they are built into how we design, host, and operate the platform.
We aim to be transparent about what we do today, how risks are mitigated, and where responsibility sits between Thesmia and our underlying infrastructure providers.
We do not claim independent ISO 27001 or SOC certification at this stage. However, Thesmia is built on enterprise-grade infrastructure and services that are themselves ISO 27001 / SOC 2 compliant, and we follow security best practices aligned to those standards.
Quick reassurance
-
Hosted on cloud infrastructure that meets ISO 27001 / SOC standards
-
Data encrypted in transit and at rest (via underlying providers)
-
No employee data used to train AI models
-
Access restricted to authorised personnel only
-
Regular patching and dependency updates
-
Clear separation between customer data and application logic
If you need more detail, the sections below explain exactly how Thesmia handles security.
Infrastructure & hosting
Hosting location
Thesmia is hosted on reputable cloud infrastructure providers with data centres located in regions aligned with UK and EU data protection expectations.
Infrastructure compliance
Our hosting and core service providers maintain recognised security certifications, including:
ISO 27001
SOC 2
While Thesmia itself is not currently certified, we rely on these providers’ audited controls for physical security, network security, and resilience.
Data protection & privacy
Customer data usage
Customer inputs are used only to provide the Thesmia service.
We do not use customer data to train or fine-tune AI models.
We do not sell or share customer data with third parties for advertising or profiling.
Data minimisation
We encourage customers not to enter personal or identifiable employee data into prompts. Thesmia is designed for strategic comms and planning, not record-keeping.
Retention
Data is retained only for as long as required to operate the service and support users.
AI & model security
Thesmia uses large language models via trusted AI providers.
Customer prompts are processed securely.
Inputs are not used to train shared models.
We design prompts and system logic to minimise hallucinations and unsafe outputs.
Thesmia is intended as a decision-support tool, not an autonomous system.
Human review remains essential for all outputs.
Access control & authentication
Access to production systems is restricted to a small number of authorised team members.
Role-based access is used wherever possible.
Credentials are managed securely and rotated where appropriate.
Administrative access is logged and monitored via underlying infrastructure tooling.
Updates, patches & vulnerability management
Dependencies and libraries are kept under active review.
Security patches are applied promptly where risks are identified.
Infrastructure providers handle OS-level and network-level patching.
We monitor upstream advisories from vendors we depend on.
Backups & resilience
Infrastructure-level backups are managed by our hosting providers.
Systems are designed to be recoverable in the event of failure.
We rely on provider-level redundancy and availability guarantees.
Onboarding & offboarding
Team access is granted on a need-to-know basis.
Access is removed promptly when roles change or team members leave.
No shared credentials are used for critical systems.
Key risks & mitigations
| Risk | Mitigation |
|---|---|
| Unauthorised access | Restricted access, secure authentication, provider-level controls |
| Data leakage | Encryption, provider isolation, no model training on customer data |
| AI hallucinations | Guardrails, prompt design, human-in-the-loop expectation |
| Dependency vulnerabilities | Regular updates and monitoring |
| Human error |
Minimal access, documented processes |
Certifications & roadmap
At present, Thesmia does not hold independent ISO 27001 or SOC certification.
As the product and customer base grow, we intend to:
-
Continue aligning internal practices with recognised security frameworks
-
Formalise documentation and controls
-
Evaluate certification when proportionate and appropriate
We believe in earning trust through transparency, not overstating maturity.
Responsible disclosure
If you believe you’ve found a security issue, please contact us at:
📧 Emma@thesmia.ai
We take responsible disclosure seriously and will investigate promptly.
Questions?
We’re happy to answer reasonable security or data protection questions from customers, IT teams, or DPOs.