Security

Security at TeamContext

How we protect your data and your team's privacy.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys and secrets are stored using one-way hashing.

Access Control

Row-level security on all team-scoped data. Role-based permissions (owner, admin, member). Optional 2FA with TOTP and recovery codes.

No Source Code Access

TeamContext captures metadata and AI-generated summaries only. Raw source code never leaves your machine or enters our systems.

Infrastructure

Hosted on isolated, hardened infrastructure. PostgreSQL with partitioned tables. Automated backups to encrypted S3 storage.

Authentication & Identity

TeamContext supports multiple authentication methods:

  • Email/password with bcrypt hashing and configurable password policies
  • OAuth 2.0 via GitHub and Google
  • Two-factor authentication (2FA) using TOTP with recovery codes
  • SSO/SAML available on Enterprise plans

JWT tokens are short-lived (15 minutes) with secure refresh token rotation. Rate limiting protects all authentication endpoints.

API Security

  • Global rate limiting (60 requests/minute) with stricter limits on auth endpoints
  • Input validation on all endpoints with class-validator
  • CORS configured per environment
  • Helmet.js security headers
  • Webhook signature verification (Stripe)

Data Handling

  • Row-Level Security (RLS) ensures teams can only access their own data
  • UUID v7 for all record identifiers (time-ordered, non-guessable)
  • Partitioned tables for high-volume data with automatic retention
  • Soft-delete patterns where data recovery may be needed

Enterprise Security

Enterprise plans include additional security controls:

  • SSO/SAML integration with your identity provider
  • Comprehensive audit logging
  • Custom data retention policies
  • Dedicated customer success manager
  • SOC 2 Type II compliance

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly by emailing security@teamcontext.ai. We commit to:

  • Acknowledging your report within 24 hours
  • Providing regular updates on our investigation
  • Not pursuing legal action against good-faith reporters