Security & privacy
It's your team's context. It stays yours.
BaseThread holds some of your most sensitive context, so it's built local-first and private by default.
Where your context lives
Local-first by design, private by default
Your context is the source of truth in the cloud, mirrored to your own machine, and read by tools running on your key. Here's the path it takes.
BaseThread cloud
- Encrypted at rest (AES-256-GCM)
- Row-level security per workspace
Your machine
- Local mirror by the Mac agent
- Reads work offline
Your AI tools
- Read by your own AI tools
- They run on your accounts
Never used to train models. Your context only ever answers your team's questions.
The guarantees
Built for your most sensitive context
Local-first
Your context syncs to your own machine and reads work offline. The cloud is the source of truth, not a hard dependency for every read.
Encrypted at rest
Sensitive context is encrypted with AES-256-GCM. The encryption key lives outside the database.
Your tools, your accounts
The AI tools you connect run on your own accounts. BaseThread serves them context over MCP; it does not run your AI for you.
Never training data
Your context is used to answer your team's questions. It is never used to train models.
Row-level security
Access is enforced at the database with row-level security, so members only ever read the workspaces they belong to.
Self-host on the roadmap
Cloud today, with self-host and on-prem options planned for teams that need context to stay inside their own infrastructure.
The MCP access model
What a connected AI tool can access
The server acts as you. A connected AI tool can only do what you could do yourself in the app, no more.
Reads, scoped to you
A connected tool reads the slice of your shared context you're allowed to see, files, decisions, activity, tasks, people, and meeting notes, scoped to your role and workspace membership.
Writes, additive only
It can log activity, decisions, and tasks, and create or update documents. Writes are additive, rate-limited, and logged like any web-app write.
Authentication & isolation
Scoped tokens, checked server-side
Your AI tool connects with its own scoped credential, and every read is enforced at the database, not the client.
OAuth 2.0 & PKCE
The hosted endpoint authenticates with OAuth 2.0 and PKCE. Your AI tool gets a scoped token, never your password.
Short-lived & revocable
Access tokens last one hour, refresh tokens 90 days, and tokens are stored hashed. Revoke any connected tool from your account at any time and its tokens stop working immediately.
Enforced server-side
Reads are checked server-side against your role and membership, never in the client. One authorization covers every workspace you belong to; your AI names the workspace per request.
Tenant isolation
Every workspace is isolated by row-level security. A token issued for you can only reach workspaces you're an active member of. There is no cross-tenant read path.
Mac Keychain, auth-free bridge
On the macOS app, sign-in lives in the macOS Keychain, and the local bridge is auth-free. Tokens are never sent across the local socket.
For security teams
Security details
The exact access, authentication, data-handling, and isolation model, for reviewers and security teams.
What the MCP server can access
- The server acts as you. It can only read what you could see and write what you could write in the app.
- It reads the slice of your context you're allowed to see (files, decisions, activity, tasks, people, meeting notes), scoped to your role and workspace membership. Private areas you aren't in stay invisible, including to your AI.
- It writes additively: it logs activity, decisions, and tasks, and creates or updates documents.
Authentication
- The hosted endpoint (mcp.basethread.ai) authenticates with OAuth 2.0 and PKCE. Your AI tool gets a scoped token, never your password.
- Access tokens are short-lived (one hour); refresh tokens last 90 days; tokens are stored hashed.
- One authorization covers every workspace you belong to; your AI names the workspace per request.
- You can revoke any connected tool from your account at any time, which invalidates its tokens immediately.
- On the macOS app, sign-in lives in the macOS Keychain, and the local bridge is auth-free. Tokens are never sent across the local socket.
Data handling
- Encrypted in transit and at rest.
- Never used to train AI models.
- Scoped to your workspace; personal and team workspaces stay separate.
- On the desktop app, a local mirror stays on your machine, and local deletions go to the system Trash.
Permissions & isolation
- Reads are enforced server-side against your role (owner, admin, member, or viewer at the workspace level; manager or member at the container level) and your membership, never in the client.
- Writes are additive, rate-limited, and logged like any web-app write.
- Destructive actions require explicit confirmation. The AI never deletes or restructures silently.
- Tenancy: every workspace is isolated by server-side row-level security. A token issued for you can only reach workspaces you're an active member of. There is no cross-tenant read path.
Reporting a security issue: email hello@basethread.ai. We aim to acknowledge within two business days.
FAQ
Security questions, answered
In your BaseThread workspace in the cloud, with row-level security so only your members can read it, and mirrored locally to each member's machine by the Mac agent. Sensitive fields are encrypted at rest with AES-256-GCM.
Get your team's AI tools on the same page
BaseThread is the shared context-graph that Claude Code, Cursor, and every AI tool your team uses can read, so no one re-explains the same context twice.
Get Started for Free