Security Policy
TeamDay AI Platform - Information Security
Effective date: January 1, 2026, Version 1.0.0
Privacy Policy · Terms of Use · Data Policy
Executive Summary
TeamDay is committed to protecting your data and systems with enterprise-grade security controls. This policy outlines our comprehensive approach to information security, aligned with SOC 2 Trust Service Criteria.
Security Highlights
- ✅ AES-256-GCM encryption for sensitive data (API keys, tokens)
- ✅ TLS 1.3 for all data in transit
- ✅ Multi-factor authentication (MFA) required for production systems
- ✅ Organization-scoped isolation (your data is yours alone)
- ✅ Continuous monitoring with AI-powered security agents
- ✅ Quarterly access reviews and disaster recovery testing
- ✅ SOC 2 Type I ready (certification April 2026)
Key Security Controls
Data Protection
- Encryption at rest: AES-256-GCM for API keys, OAuth tokens, and sensitive data
- Encryption in transit: TLS 1.3 for all connections
- No secrets in code: All credentials stored as environment variables
- Data isolation: Firestore security rules enforce organization boundaries (765 lines)
- Backup & recovery: Daily automated backups, 30-day retention, quarterly DR tests
Access Control
- Authentication: Firebase Auth with optional MFA
- Authorization: Role-based access (Owner, Admin, Member, Viewer)
- Session management: Secure httpOnly cookies, 7-day expiration
- Access reviews: Quarterly reviews of all user permissions
- Deprovisioning: Accounts revoked within 24 hours of termination
System Security
- Firestore security rules: 765 lines of organization-scoped rules
- Vulnerability scanning: Weekly automated scans with 7-day SLA for critical issues
- Dependency management: Automated security updates (Dependabot)
- Sandbox isolation: User-level Linux isolation for agent execution
- Rate limiting: API limits to prevent abuse (100 req/min per user)
Monitoring & Incident Response
- Audit logging: All authentication, authorization, and data access events logged
- Continuous monitoring: AI-powered log analysis every 15 minutes
- Anomaly detection: Failed auth spikes, rate limit violations, cost anomalies
- Incident response: Documented procedures with 24-hour detection SLA
- Security alerts: Real-time notifications for critical issues
Compliance & Certifications
Current Status
- ✅ GDPR compliant (EU data protection)
- ✅ CCPA compliant (California privacy rights)
- ✅ SOC 2 controls implemented (80/102 controls ready)
Certification Roadmap
- Q1 2026: Complete remaining SOC 2 controls
- Q2 2026: SOC 2 Type I audit
- April 2026: SOC 2 Type I certification
- 2027: SOC 2 Type II (12 months of operation)
AI-Native Security
TeamDay uses AI agents to automate compliance and security tasks:
Security Agents
- Log Monitor Agent: Analyzes logs every 15 minutes for anomalies
- Vulnerability Scanner Agent: Weekly security scans of code and dependencies
- Access Reviewer Agent: Quarterly access reviews (automated)
- DR Drill Runner Agent: Quarterly disaster recovery testing
- Policy Auditor Agent: Monthly compliance checks
Why AI Agents?
- ✅ More consistent: Agents don't skip steps or forget tasks
- ✅ Faster: Automated tasks complete in minutes vs. hours
- ✅ 24/7 monitoring: Continuous security vigilance
- ✅ Better documentation: Auto-generated reports with full audit trail
- ✅ Cost effective: Save $200K+/year vs. hiring compliance team
Data Retention & Deletion
Retention Periods
- Customer data: Retained until account deletion
- Audit logs: 2 years (SOC 2 requirement)
- Transaction records: 7 years (tax/legal requirement)
- Backups: 30 days
Data Deletion
- Soft delete: 30-day grace period (undo available)
- Hard delete: Permanent after 30 days
- Backup purge: Deleted data removed from backups within 60 days
- Right to deletion: GDPR/CCPA compliant (within 30 days)
Vendor Security
All third-party vendors are vetted for security:
| Vendor | Service | SOC 2 | DPA | Encryption |
|---|---|---|---|---|
| Google (Firebase) | Database, Auth | ✅ | ✅ | ✅ |
| Cloudflare | CDN, WAF | ✅ | ✅ | ✅ |
| Anthropic | AI API (Claude) | ✅ | ✅ | ✅ |
| OpenAI | AI API (GPT) | ✅ | ✅ | ✅ |
| Google AI | AI API (Gemini) | ✅ | ✅ | ✅ |
| Paddle | Payments | ✅ (PCI DSS) | ✅ | ✅ |
| GitHub | Code hosting | ✅ | ✅ | ✅ |
Annual vendor reviews: We verify SOC 2 reports and DPAs every January.
Incident Response
Detection
- Automated monitoring: AI agents detect anomalies 24/7
- User reports: security at teamday.ai (24-hour response)
- Bug bounty: Responsible disclosure program (planned Q2 2026)
Response
- Detect: Log Monitor Agent or user report
- Assess: Engineering Lead + Security Team
- Contain: Block attacker, patch vulnerability
- Eradicate: Remove backdoors, reset credentials
- Recover: Restore from backup if needed
- Communicate: Notify affected users within 72 hours (GDPR)
- Post-mortem: Document lessons learned
Critical incident SLA: 1-hour detection, 4-hour containment
Responsible Disclosure
Found a security vulnerability? We want to hear from you!
How to Report
- Email: security at teamday.ai
- PGP: Available on our website (for sensitive reports)
- Response time: 24 hours for acknowledgment
What We'll Do
- Acknowledge within 24 hours
- Fix critical bugs within 7 days
- Credit you in security advisory (if desired)
- Potential bug bounty reward (when program launches)
What We Ask
- Give us 45 days to fix before public disclosure
- Don't exploit the bug (test only)
- Don't access others' data
Out of scope: SPF/DKIM issues, DoS requiring massive resources, social engineering, physical security
Security Training
For Employees
- Onboarding: Security training within first week
- Annual training: Policy updates, threat landscape, case studies
- Phishing tests: Quarterly simulated phishing campaigns
For AI Agents
- Policy training: Agents loaded with all security policies
- Enforcement: Agents enforce policies automatically
- Alerting: Agents report violations to humans
Questions?
- General security questions: security at teamday.ai
- Privacy questions: privacy at teamday.ai
- Report a vulnerability: security at teamday.ai
- Data requests (GDPR/CCPA): privacy at teamday.ai
- Incident reports: security at teamday.ai (urgent)
Response times:
- Critical security issues: 24 hours
- General questions: 7 days
- Data requests: 30 days (legal requirement)
Full Documentation
Detailed security documentation is available upon request:
- Information Security Policy (22 pages)
- SOC 2 Controls Matrix (102 controls)
- Incident Response Plan (16 pages)
- Risk Assessment (25 pages)
Contact security at teamday.ai to request access.
Last updated: December 8, 2025 Next review: December 2026
TeamDay is committed to transparency. If you have questions about our security practices, we're happy to discuss them. Contact us anytime at security at teamday.ai.