Our Standards
Since starting work on the product in 2018, information security has been considered at every stage of design and operation.
We operate an Information Security Management System that is certified to ISO 27001. Thrive is also certified against SOC 2, Cyber Essentials & meeting ISO9001 and aligns with additional recognised security standards.
We work with independent specialists to support compliance with applicable legal and regulatory requirements, including GDPR, and maintain strong controls over the review and monitoring of subprocessors.
We also complete regular external audits for all of our proven certifications. Further details on Thrive’s security controls, certifications, and compliance posture are available in the Thrive Trust Centre: https://trust.thrivelearning.com/
Encryption and Key Management
All customer data is encrypted at rest. Connections to the Thrive platform are encrypted in transit. Encryption keys are managed using AWS-managed key management services, with access tightly controlled and audited as part of our security operations.
Multi-Tenancy
The Thrive platform operates on a shared, scalable architecture with logical separation between customer environments.
Tenant isolation is enforced through tenant-aware request handling across services, ensuring that all requests and responses are scoped to the correct tenant context and that users can only access data belonging to their organisation.
This approach allows customers to benefit from shared infrastructure while maintaining strict separation of users, content, and interactions.
Authentication
Authentication is handled using AWS Cognito. Cognito allows Thrive to support a range of authentication models, including federated identity providers using industry-standard protocols such as SAML 2.0 and OpenID Connect (OIDC).
After authentication, the front end receives a signed JSON Web Token (JWT), which is passed with each request and validated by backend services to confirm the identity and authorisation of the user.
Where federated authentication is used, enforcement of additional controls such as multi-factor authentication is managed by the customer’s identity provider.