thrisha

Legal

Security

Last updated: May 2026

Our commitment

Thrisha handles a founder’s most sensitive intellectual property: their unfiltered opinions, strategic thinking, unpublished product direction, and proprietary market analysis. We treat this material with the same confidentiality standards we would expect for our own business strategy. This page describes how we protect it.

1. Confidentiality and NDAs

Every Thrisha engagement begins with a mutual NDA executed before any onboarding conversations. Our standard NDA covers:

  • All recorded sessions, voice memos, and capture materials
  • Unpublished product strategy, roadmap details, and internal metrics shared during capture sessions
  • Competitive intelligence, pricing structures, and customer information disclosed incidentally
  • Draft narrative assets that have not yet been approved for publication
  • Client identity — we do not reference engagements publicly without explicit written permission

Case studies published on thrisha.com are produced only with explicit, written consent from named individuals. All quotes are reviewed and approved before publication.

2. Data handling

We minimize data collection to what is operationally necessary:

  • Recording files: Session recordings are stored in encrypted cloud storage (AES-256 at rest) and deleted 90 days after the engagement ends unless the client requests earlier deletion.
  • Draft content: All narrative drafts, outlines, and editorial notes are stored in access-controlled workspaces. Access is limited to the assigned Brand Operator and editorial team members on that engagement.
  • Published content: Once approved and published, content is the client’s property. We retain copies internally only for quality review and reporting purposes.
  • Analytics data: Performance data (TIR, AHL, open rates) is stored in client-specific reporting workspaces. This data is not shared with other clients or used in aggregate benchmarks without anonymization.

3. Access controls

Each client engagement operates in an isolated workspace. Internal access follows a need-to-know model:

  • Brand Operators have access only to their assigned client workspaces
  • Editorial reviewers access individual draft documents — not full client workspaces
  • Analytics and reporting access is scoped to performance data only
  • Leadership has visibility across engagements for quality oversight but operates under the same NDA obligations

All team members sign confidentiality agreements as a condition of engagement. Contractors and external collaborators (e.g., podcast editors) sign scoped NDAs covering only the materials they handle.

4. Platform security

We use industry-standard platforms with strong security postures:

  • Notion: Content calendars and approval workflows. Workspace access is invitation-only with SSO enforced.
  • Riverside.fm / Loom: Recording infrastructure. Files are encrypted in transit (TLS 1.2+) and at rest.
  • Cloud storage: All files are encrypted at rest (AES-256) and access-logged.
  • Email: We do not transmit unpublished draft content via standard email. Drafts are shared through secure, authenticated workspaces only.

5. AI tools policy

We use AI writing assistance in the Compose step of the Voice Loop. Our policy:

  • We do not input client recordings, transcripts, or proprietary strategy documents into any AI tool that trains on user data
  • Where AI tools are used, we use enterprise-tier plans with data processing agreements (DPAs) that prohibit training on submitted content
  • All AI-assisted drafts are reviewed, rewritten, and calibrated by human editors before delivery — we do not ship raw AI output
  • Clients may request an AI-free composition process for sensitive engagements; this is available on the Apex tier

6. Incident response

In the event of a security incident affecting client data, we will notify affected clients within 48 hours of discovery. Notification will include: the nature of the incident, the data potentially affected, steps taken to contain it, and remediation actions underway. We maintain an incident response protocol reviewed quarterly.

7. Data deletion requests

Clients may request deletion of all associated data at any time by emailing hello@thrisha.com. We will confirm deletion within 30 days. Exceptions: data required for legal or tax compliance purposes is retained for the legally mandated period and then deleted.

8. Questions

Security questions, vulnerability disclosures, or data requests: hello@thrisha.com. We aim to respond within one business day.