Skip to content
BaseThread

Security & privacy

It's your team's context. It stays yours.

BaseThread holds some of your most sensitive context, so it's built local-first and private by default.

Where your context lives

Local-first by design, private by default

Your context is the source of truth in the cloud, mirrored to your own machine, and read by tools running on your key. Here's the path it takes.

Source of truth

BaseThread cloud

  • Encrypted at rest (AES-256-GCM)
  • Row-level security per workspace
Synced

Your machine

  • Local mirror by the Mac agent
  • Reads work offline
Over MCP

Your AI tools

  • Read by your own AI tools
  • They run on your accounts

Never used to train models. Your context only ever answers your team's questions.

The guarantees

Built for your most sensitive context

Local-first

Your context syncs to your own machine and reads work offline. The cloud is the source of truth, not a hard dependency for every read.

Encrypted at rest

Sensitive context is encrypted with AES-256-GCM. The encryption key lives outside the database.

Your tools, your accounts

The AI tools you connect run on your own accounts. BaseThread serves them context over MCP; it does not run your AI for you.

Never training data

Your context is used to answer your team's questions. It is never used to train models.

Row-level security

Access is enforced at the database with row-level security, so members only ever read the workspaces they belong to.

Self-host on the roadmap

Cloud today, with self-host and on-prem options planned for teams that need context to stay inside their own infrastructure.

The MCP access model

What a connected AI tool can access

The server acts as you. A connected AI tool can only do what you could do yourself in the app, no more.

Reads, scoped to you

A connected tool reads the slice of your shared context you're allowed to see, files, decisions, activity, tasks, people, and meeting notes, scoped to your role and workspace membership.

Writes, additive only

It can log activity, decisions, and tasks, and create or update documents. Writes are additive, rate-limited, and logged like any web-app write.

It can never see or change anything you couldn't yourself in the app. Private areas you aren't a member of are invisible, including to your AI. The tool filters only narrow within what you can see, never widen it, and destructive actions always require your explicit confirmation, so nothing is deleted or restructured silently.

Authentication & isolation

Scoped tokens, checked server-side

Your AI tool connects with its own scoped credential, and every read is enforced at the database, not the client.

OAuth 2.0 & PKCE

The hosted endpoint authenticates with OAuth 2.0 and PKCE. Your AI tool gets a scoped token, never your password.

Short-lived & revocable

Access tokens last one hour, refresh tokens 90 days, and tokens are stored hashed. Revoke any connected tool from your account at any time and its tokens stop working immediately.

Enforced server-side

Reads are checked server-side against your role and membership, never in the client. One authorization covers every workspace you belong to; your AI names the workspace per request.

Tenant isolation

Every workspace is isolated by row-level security. A token issued for you can only reach workspaces you're an active member of. There is no cross-tenant read path.

Mac Keychain, auth-free bridge

On the macOS app, sign-in lives in the macOS Keychain, and the local bridge is auth-free. Tokens are never sent across the local socket.

For security teams

Security details

The exact access, authentication, data-handling, and isolation model, for reviewers and security teams.

What the MCP server can access

  • The server acts as you. It can only read what you could see and write what you could write in the app.
  • It reads the slice of your context you're allowed to see (files, decisions, activity, tasks, people, meeting notes), scoped to your role and workspace membership. Private areas you aren't in stay invisible, including to your AI.
  • It writes additively: it logs activity, decisions, and tasks, and creates or updates documents.

Authentication

  • The hosted endpoint (mcp.basethread.ai) authenticates with OAuth 2.0 and PKCE. Your AI tool gets a scoped token, never your password.
  • Access tokens are short-lived (one hour); refresh tokens last 90 days; tokens are stored hashed.
  • One authorization covers every workspace you belong to; your AI names the workspace per request.
  • You can revoke any connected tool from your account at any time, which invalidates its tokens immediately.
  • On the macOS app, sign-in lives in the macOS Keychain, and the local bridge is auth-free. Tokens are never sent across the local socket.

Data handling

  • Encrypted in transit and at rest.
  • Never used to train AI models.
  • Scoped to your workspace; personal and team workspaces stay separate.
  • On the desktop app, a local mirror stays on your machine, and local deletions go to the system Trash.

Permissions & isolation

  • Reads are enforced server-side against your role (owner, admin, member, or viewer at the workspace level; manager or member at the container level) and your membership, never in the client.
  • Writes are additive, rate-limited, and logged like any web-app write.
  • Destructive actions require explicit confirmation. The AI never deletes or restructures silently.
  • Tenancy: every workspace is isolated by server-side row-level security. A token issued for you can only reach workspaces you're an active member of. There is no cross-tenant read path.

Reporting a security issue: email hello@basethread.ai. We aim to acknowledge within two business days.

FAQ

Security questions, answered

In your BaseThread workspace in the cloud, with row-level security so only your members can read it, and mirrored locally to each member's machine by the Mac agent. Sensitive fields are encrypted at rest with AES-256-GCM.

Get your team's AI tools on the same page

BaseThread is the shared context-graph that Claude Code, Cursor, and every AI tool your team uses can read, so no one re-explains the same context twice.

Get Started for Free
BaseThread, featured on Smol Launch