Here at Thundra, security is our top concern, and we provide highest security standards.

Source Code Isolation

Thundra never sees nor has access to your source code. Your code does not reach Thundra’s backend or servers.

To provide code-level visibility for you blazing fast, the source-code view is required to enable you to click on a line to set a tracepoint during your application execution.

Your source-code only remains between your repository and your local browser, when you integrate with Thundra.

Thundra’s backend servers only receive the following when you set a tracepoint for debugging:

  • File path
  • Line number
  • SHA256 (hash of the file)
thundra encryption
thundra integrations

External Integrations

Thundra applies the least privilege principles and requires minimum permission to process your integration.

You can import your code from a repository like GitHub. At any point in time, your data - your source-code - is always kept Secure as it travels between your repository and your browser. It never goes through Thundra’s backend servers at any time.

Moreover, Thundra never makes any changes to your repository or its configuration in any way.

Thundra never commits, modifies pull requests, or installs Webhooks.

Trusted AWS Partner

Thundra is an AWS Advanced Technology Partner, helping AWS customers build faster and more reliable software with boosted developer productivity.

Thundra holds the AWS DevOps Competency and is a member of the ISV Accelerate Program. Thundra complies with enterprise contracts on AWS Marketplace and is a member of the SPPO Program.

thundra aws partner
thundra gdpr

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) re-emphasizes and reinforces existing data protection principles in the European Union (EU). GDPR also adds new rules that are designed to expand legal and privacy rights protections for EU citizens.

At Thundra, we understand the importance of data. We are wholly committed to providing the highest security standards and the protection of customer data. As a reflection, we completely ameliorated our products, processes, and procedures to meet with the GDPR obligations.

Any Thundra user is provided the availability to both filtering and masking personal data before customer data is submitted to our subscription services.

Encrypt in Transit & at Rest

We use TLS encryption for every internal and external communication between our services and external services. All of our application layer (layer 7) level communications are HTTPS based and network layer (layer 3-4) based communications are SSL based.

All of the collected user data and monitoring data is stored as encrypted with AWS KMS system by encryption keys. Also all of the snapshots and backups are encrypted as well at the place where they resides.

thundra encryption
Thundra Agent Security

Agent Security

Thundra agents runs in user application, collects monitoring data (traces, metrics, logs) from both of the running application itself and underlying Lambda container and send them to Thundra Collector API to be ingested. Collected monitoring data is sent through HTTPS (TLS) securely. Authentication is done by the provided API keys, which are sent in the request headers to sing the request, by Thundra Console. After processing, received data is stored encrypted by AWS KMS at rest. By default all integrations (AWS SQS, AWS SNS, AWS Lambda, …, MySQL, PostgreSQL, HTTP, Redis, etc …) are enabled and they capture the outgoing requests (messages, queries, request bodies, commands, etc …).

If there is sensitive data or you don’t want these requests data to be captured, you can always enabling masking them by configuration so they won’t be traced. Additionally, Thundra agent can trace user code base even method arguments, return values and local variables when line by line tracing is enabled. By these are disabled by default and we collected these low level details only when you enable. Even you enable them, we provide a programmatic API to mask completely or partially sensitive data yourself.

Console Security

All of the communication between the user browser and the Thundra console is done securely through HTTPS (TLS). We are using JWT tokens with Auth0 for console authentication. For payment, we are using Stripe, which is certified to PCI Service Provider Level 1, (the most stringent level of certification available in the payments industry). So we don’t collect and store any information of your credit card as they are handled and managed by Stripe directly.

thundra console security
thundra data

Data Access & Retention

All of the data stores (as well as the internal and external services) are behind VPC and they are not accessible from the outside of the private network. At Thundra, accesses to data stores are restricted and only admins and operations team are allowed. Two-factor authentication is required for employees to access Thundra internal services and actions are audited by AWS CloudTrail logs.

Data retention depends on user’s pricing plan. Data retention is:

  • 7 days for free and lite users
  • 1 month for standard users
  • 2 months for enterprise users.

If you want to delete your account, you can contact us through Slack or We will respond with the confirmation of deletion in 24 hours.


All of the services and data stores in Thundra are designed to be highly available components. We use Aurora MySQL, DynamoDB and Elasticsearch to store collected data.

Also collected monitoring data is backed up on AWS S3. AWS DynamoDB and S3 are highly available and resilient services as they run at multi AZ with backups. For Elasticsearch, we run multiple instances on multiple AZ and each shard has its own replicate located at another AZ. For Aurora MySQL, we have multiple read replicas on different AZ and region and in case of an outage, they can be promoted to master role.

In addition to data stores, both of our collector and console applications run as multiple instances on multi AZ behind Application Load Balancers and they can automatically scale up and down according to the system load. Besides collector and console applications, all of the remaining components of our backend are %100 serverless and by their nature they are highly available and scalable applications.

thundra availability
thundra recovery


All of our data stores, RDS and Elasticsearch (and even caches, Elastic Cache / Redis), have daily backups so in case of disaster, they can be restored to the latest day. The remaining changes until the disaster time on the data store occurred after snapshot can be restored by replaying events from S3 backups. In addition to S3 backups, data retention of our Kinesis stream, which is the stream of collected monitoring data, is 7 days, so that in case of the catastrophic failure of Elasticsearch, we can replay the data to be ingested.