Security you can hand to your toughest reviewer.
Thryvate is built so that the convenient path is also the safe one. Sites are private by default, served only to verified viewers, and every access is logged.
Authentication first
Private sites never render until the viewer proves who they are. No file leaves storage before identity is confirmed.
Private object storage
Your bundles live in a fully private bucket. We never hand the browser a direct or presigned storage link.
Sandboxed rendering
Every site runs in an isolated, locked-down frame so one page can never read another or reach your account.
Verified viewers
Invite people by email or with a wildcard like *@acme.com. Each viewer confirms their address before access.
Full access log
Every request, verification, view, and denial is recorded so you always know who opened what, and when.
Scoped API tokens
Tokens are scoped to a single account, shown once, and revocable instantly. Rotate them whenever you like.
How a private view works
When someone opens a private link, they are asked to confirm their email before anything loads. Only after Thryvate matches them against your allowlist do we mint a short-lived delivery token and stream the page from private storage into a sandboxed frame. The underlying files are never exposed to the browser directly.
Data handling
Traffic is encrypted in transit, and stored bundles are encrypted at rest. We keep the metadata needed to run your account, such as site titles, allowlists, and the access log, and nothing more. You can delete a site and its history at any time from your dashboard.
Report a vulnerability
Found something that looks off? We want to hear about it. Email security@thryvate.com with the details and we will get back to you quickly. We are grateful to researchers who report issues responsibly.