Security Overview

Version: 1.0 | Last updated: November 11, 2025

Team Chat Code enables multi-tenant AI chatbots for organizations. The following summarizes how we safeguard customer data and ensure reliable operations.

1. Architecture Security

1.1 Multi-Tenancy Isolation

Every record carries a team_id and is protected by Row Level Security (RLS) in Supabase.
Bots, documents, chunks, and embeddings inherit team_id; cross-team access is impossible by query design.
API calls resolve user → profile → team context on the server—never on the client.

1.2 Encryption & Secrets

TLS 1.2+ enforced for all HTTP and database connections.
Data at rest encrypted with AES-256 (Supabase Postgres + Storage).
Secrets and API keys live only in Vercel/Supabase environment variables with quarterly rotation.

2. Data Handling

2.1 Document Ingestion

Supported formats: PDF, DOCX, Markdown, TXT, HTML (whitelisted and sanitized).
Uploaded text screened using OpenAI Moderation; flagged files are quarantined and excluded from embeddings.
Optional regex filtering for PII (emails, card numbers, SSNs).

2.2 Storage & Embeddings

Files stored in Supabase Storage under /teams/{team_id}/docs/{uuid}.
Embeddings stored in Postgres pgvector partitioned by team_id and collection_id.
Vectors contain semantic representations only—no raw secrets or PII.

2.3 Retention

Customer content retained while the subscription is active.
Deleted documents and embeddings hard-deleted within 30 days; audit logs retained 90 days.

3. Application Security

3.1 Authentication & Access Control

Supabase Auth (email links, OAuth). JWTs validated on every request.
Admin actions require server actions with re-authentication.
Bots respect visibility flags: private (team-only) or public (read-only sharing).

3.2 Rate Limiting & APIs

Global rate limiting per team and per IP address.
API keys hashed with bcrypt, scoped to team_id, stored encrypted.
Exponential back-off and suspension on abuse.

3.3 Audit & Monitoring

All create/update/delete actions logged to audit_log.
Error/access logs streamed to secure logging services (Vercel Logs, Supabase Logs).
Suspicious patterns (e.g., excessive uploads) trigger alerts.

4. AI & Prompt Security

Prompts and uploads screened with OpenAI Moderation before reaching model APIs.
Retrieved context is ephemeral; no prompts or chunks are used for model training.
Only vetted providers (OpenAI, Anthropic) accessed over TLS.

5. Infrastructure

Hosted on Vercel and Supabase (both SOC 2 Type II certified).
Weekly dependency updates and vulnerability scanning.
Strict CSP headers, XSS and CSRF protections, encrypted backups.

6. Compliance & Roadmap

GDPR/PDPA-aligned data handling with DPA available on request.
Terms forbid illegal, copyrighted, or sensitive data uploads.
SOC 2 readiness assessment planned for Q3 2025.
Future enhancements: BYOK encryption and real-time anomaly detection.

7. Incident Response

24/7 incident channel monitored by our engineering team.
Standard process: detection → triage → containment → customer notification (within 72 hours).
Post-mortems documented; mitigation tasks tracked to closure.

Need More Details?

For security questionnaires or enterprise inquiries, contact security@teamchatcode.com.

Security Overview

Version: 1.0 | Last updated: November 11, 2025

Team Chat Code enables multi-tenant AI chatbots for organizations. The following summarizes how we safeguard customer data and ensure reliable operations.

1. Architecture Security

1.1 Multi-Tenancy Isolation

Every record carries a team_id and is protected by Row Level Security (RLS) in Supabase.
Bots, documents, chunks, and embeddings inherit team_id; cross-team access is impossible by query design.
API calls resolve user → profile → team context on the server—never on the client.

1.2 Encryption & Secrets

TLS 1.2+ enforced for all HTTP and database connections.
Data at rest encrypted with AES-256 (Supabase Postgres + Storage).
Secrets and API keys live only in Vercel/Supabase environment variables with quarterly rotation.

2. Data Handling

2.1 Document Ingestion

Supported formats: PDF, DOCX, Markdown, TXT, HTML (whitelisted and sanitized).
Uploaded text screened using OpenAI Moderation; flagged files are quarantined and excluded from embeddings.
Optional regex filtering for PII (emails, card numbers, SSNs).

2.2 Storage & Embeddings

Files stored in Supabase Storage under /teams/{team_id}/docs/{uuid}.
Embeddings stored in Postgres pgvector partitioned by team_id and collection_id.
Vectors contain semantic representations only—no raw secrets or PII.

2.3 Retention

Customer content retained while the subscription is active.
Deleted documents and embeddings hard-deleted within 30 days; audit logs retained 90 days.

3. Application Security

3.1 Authentication & Access Control

Supabase Auth (email links, OAuth). JWTs validated on every request.
Admin actions require server actions with re-authentication.
Bots respect visibility flags: private (team-only) or public (read-only sharing).

3.2 Rate Limiting & APIs

Global rate limiting per team and per IP address.
API keys hashed with bcrypt, scoped to team_id, stored encrypted.
Exponential back-off and suspension on abuse.

3.3 Audit & Monitoring

All create/update/delete actions logged to audit_log.
Error/access logs streamed to secure logging services (Vercel Logs, Supabase Logs).
Suspicious patterns (e.g., excessive uploads) trigger alerts.

4. AI & Prompt Security

Prompts and uploads screened with OpenAI Moderation before reaching model APIs.
Retrieved context is ephemeral; no prompts or chunks are used for model training.
Only vetted providers (OpenAI, Anthropic) accessed over TLS.

5. Infrastructure

Hosted on Vercel and Supabase (both SOC 2 Type II certified).
Weekly dependency updates and vulnerability scanning.
Strict CSP headers, XSS and CSRF protections, encrypted backups.

6. Compliance & Roadmap

GDPR/PDPA-aligned data handling with DPA available on request.
Terms forbid illegal, copyrighted, or sensitive data uploads.
SOC 2 readiness assessment planned for Q3 2025.
Future enhancements: BYOK encryption and real-time anomaly detection.

7. Incident Response

24/7 incident channel monitored by our engineering team.
Standard process: detection → triage → containment → customer notification (within 72 hours).
Post-mortems documented; mitigation tasks tracked to closure.

Need More Details?

For security questionnaires or enterprise inquiries, contact security@teamchatcode.com.

Legal Information

Security Overview

1. Architecture Security

1.1 Multi-Tenancy Isolation

1.2 Encryption & Secrets

2. Data Handling

2.1 Document Ingestion

2.2 Storage & Embeddings

2.3 Retention

3. Application Security

3.1 Authentication & Access Control

3.2 Rate Limiting & APIs

3.3 Audit & Monitoring

4. AI & Prompt Security

5. Infrastructure

6. Compliance & Roadmap

7. Incident Response

Need More Details?

Legal Information

Security Overview

1. Architecture Security

1.1 Multi-Tenancy Isolation

1.2 Encryption & Secrets

2. Data Handling

2.1 Document Ingestion

2.2 Storage & Embeddings

2.3 Retention

3. Application Security

3.1 Authentication & Access Control

3.2 Rate Limiting & APIs

3.3 Audit & Monitoring

4. AI & Prompt Security

5. Infrastructure

6. Compliance & Roadmap

7. Incident Response

Need More Details?