Security Policy

TeamDay AI Platform - Information Security

Effective date: January 1, 2026, Version 1.0.0


Privacy Policy · Terms of Use · Data Policy


Executive Summary

TeamDay is committed to protecting your data and systems with enterprise-grade security controls. This policy outlines our comprehensive approach to information security, aligned with SOC 2 Trust Service Criteria.

Security Highlights

  • AES-256-GCM encryption for sensitive data (API keys, tokens)
  • TLS 1.3 for all data in transit
  • Multi-factor authentication (MFA) required for production systems
  • Organization-scoped isolation (your data is yours alone)
  • Continuous monitoring with AI-powered security agents
  • Quarterly access reviews and disaster recovery testing
  • SOC 2 Type I ready (certification April 2026)

Key Security Controls

Data Protection

  • Encryption at rest: AES-256-GCM for API keys, OAuth tokens, and sensitive data
  • Encryption in transit: TLS 1.3 for all connections
  • No secrets in code: All credentials stored as environment variables
  • Data isolation: Firestore security rules enforce organization boundaries (765 lines)
  • Backup & recovery: Daily automated backups, 30-day retention, quarterly DR tests

Access Control

  • Authentication: Firebase Auth with optional MFA
  • Authorization: Role-based access (Owner, Admin, Member, Viewer)
  • Session management: Secure httpOnly cookies, 7-day expiration
  • Access reviews: Quarterly reviews of all user permissions
  • Deprovisioning: Accounts revoked within 24 hours of termination

System Security

  • Firestore security rules: 765 lines of organization-scoped rules
  • Vulnerability scanning: Weekly automated scans with 7-day SLA for critical issues
  • Dependency management: Automated security updates (Dependabot)
  • Sandbox isolation: User-level Linux isolation for agent execution
  • Rate limiting: API limits to prevent abuse (100 req/min per user)

Monitoring & Incident Response

  • Audit logging: All authentication, authorization, and data access events logged
  • Continuous monitoring: AI-powered log analysis every 15 minutes
  • Anomaly detection: Failed auth spikes, rate limit violations, cost anomalies
  • Incident response: Documented procedures with 24-hour detection SLA
  • Security alerts: Real-time notifications for critical issues

Compliance & Certifications

Current Status

  • ✅ GDPR compliant (EU data protection)
  • ✅ CCPA compliant (California privacy rights)
  • ✅ SOC 2 controls implemented (80/102 controls ready)

Certification Roadmap

  • Q1 2026: Complete remaining SOC 2 controls
  • Q2 2026: SOC 2 Type I audit
  • April 2026: SOC 2 Type I certification
  • 2027: SOC 2 Type II (12 months of operation)

AI-Native Security

TeamDay uses AI agents to automate compliance and security tasks:

Security Agents

  • Log Monitor Agent: Analyzes logs every 15 minutes for anomalies
  • Vulnerability Scanner Agent: Weekly security scans of code and dependencies
  • Access Reviewer Agent: Quarterly access reviews (automated)
  • DR Drill Runner Agent: Quarterly disaster recovery testing
  • Policy Auditor Agent: Monthly compliance checks

Why AI Agents?

  • More consistent: Agents don't skip steps or forget tasks
  • Faster: Automated tasks complete in minutes vs. hours
  • 24/7 monitoring: Continuous security vigilance
  • Better documentation: Auto-generated reports with full audit trail
  • Cost effective: Save $200K+/year vs. hiring compliance team

Data Retention & Deletion

Retention Periods

  • Customer data: Retained until account deletion
  • Audit logs: 2 years (SOC 2 requirement)
  • Transaction records: 7 years (tax/legal requirement)
  • Backups: 30 days

Data Deletion

  • Soft delete: 30-day grace period (undo available)
  • Hard delete: Permanent after 30 days
  • Backup purge: Deleted data removed from backups within 60 days
  • Right to deletion: GDPR/CCPA compliant (within 30 days)

Vendor Security

All third-party vendors are vetted for security:

VendorServiceSOC 2DPAEncryption
Google (Firebase)Database, Auth
CloudflareCDN, WAF
AnthropicAI API (Claude)
OpenAIAI API (GPT)
Google AIAI API (Gemini)
PaddlePayments✅ (PCI DSS)
GitHubCode hosting

Annual vendor reviews: We verify SOC 2 reports and DPAs every January.


Incident Response

Detection

  • Automated monitoring: AI agents detect anomalies 24/7
  • User reports: security at teamday.ai (24-hour response)
  • Bug bounty: Responsible disclosure program (planned Q2 2026)

Response

  1. Detect: Log Monitor Agent or user report
  2. Assess: Engineering Lead + Security Team
  3. Contain: Block attacker, patch vulnerability
  4. Eradicate: Remove backdoors, reset credentials
  5. Recover: Restore from backup if needed
  6. Communicate: Notify affected users within 72 hours (GDPR)
  7. Post-mortem: Document lessons learned

Critical incident SLA: 1-hour detection, 4-hour containment


Responsible Disclosure

Found a security vulnerability? We want to hear from you!

How to Report

  • Email: security at teamday.ai
  • PGP: Available on our website (for sensitive reports)
  • Response time: 24 hours for acknowledgment

What We'll Do

  • Acknowledge within 24 hours
  • Fix critical bugs within 7 days
  • Credit you in security advisory (if desired)
  • Potential bug bounty reward (when program launches)

What We Ask

  • Give us 45 days to fix before public disclosure
  • Don't exploit the bug (test only)
  • Don't access others' data

Out of scope: SPF/DKIM issues, DoS requiring massive resources, social engineering, physical security


Security Training

For Employees

  • Onboarding: Security training within first week
  • Annual training: Policy updates, threat landscape, case studies
  • Phishing tests: Quarterly simulated phishing campaigns

For AI Agents

  • Policy training: Agents loaded with all security policies
  • Enforcement: Agents enforce policies automatically
  • Alerting: Agents report violations to humans

Questions?

  • General security questions: security at teamday.ai
  • Privacy questions: privacy at teamday.ai
  • Report a vulnerability: security at teamday.ai
  • Data requests (GDPR/CCPA): privacy at teamday.ai
  • Incident reports: security at teamday.ai (urgent)

Response times:

  • Critical security issues: 24 hours
  • General questions: 7 days
  • Data requests: 30 days (legal requirement)


Full Documentation

Detailed security documentation is available upon request:

  • Information Security Policy (22 pages)
  • SOC 2 Controls Matrix (102 controls)
  • Incident Response Plan (16 pages)
  • Risk Assessment (25 pages)

Contact security at teamday.ai to request access.


Last updated: December 8, 2025 Next review: December 2026



TeamDay is committed to transparency. If you have questions about our security practices, we're happy to discuss them. Contact us anytime at security at teamday.ai.