DRAFT · v1.0Pending counsel review. Not legally binding until effective date stated below. Last revised May 20, 2026.
Legal · Security & Compliance

Security & Compliance

Compliance is infrastructure, not paperwork. This page describes the controls we operate today, the certifications we're pursuing, and how to report vulnerabilities — disclosed accurately, never inflated.

Last updated:May 20, 2026 Version:v1.0 Disclosures:security@teehooai.com

01Compliance Substrate

Four architectural commitments form the operational substrate every engagement inherits:

01 · Audit

Full Audit Logs

Lifecycle traceability across every sensitive operation — access, modification, export — retained per contract and regulatory requirements.

02 · Isolation

Data Isolation

Tenant-bound, network-segregated storage. Customer data does not commingle across engagements. No shared-database multi-tenancy for sensitive workloads.

03 · Cross-border

Jurisdiction Scoping

Engagements bound to a specific geographic posture via contract. China-only engagements stay on Tencent Cloud China region; global engagements per scope.

04 · Routing

Permission Routing

Tier-gated access control. Operators see only the scope authorized for their tier and engagement. Default-deny; explicit grant per role.

02Certifications & Frameworks

We disclose certification status accurately. Frameworks marked "alignment in progress" are not yet awarded; we will update this page when audits complete.

FrameworkScopeStatus
SOC 2 Type IIGlobal operationsIn Progress
ISO 27001Information security mgmtIn Progress
GDPREU data subjectsAligned
CCPA / CPRACalifornia residentsAligned
PIPL · 个人信息保护法China residentsAligned
DSL · 数据安全法China data operationsAligned
HIPAAUS healthcare dataNot in scope
PCI DSSCard data — not handledNot applicable

"Aligned" = our architecture and operations conform to the framework's requirements. "In Progress" = active engagement with auditors, certificate not yet issued. We do not claim certifications we have not earned.

03Data Residency

Data residency is bound by engagement contract:

04Access Control

05Encryption

06Audit & Logging

Audit logs capture:

Logs are immutable, retained per regulatory requirement, and exportable to customers under contract.

Testing & assurance cadence

07Incident Response

We maintain an incident response process with defined severity levels and notification timelines:

Regulatory breach notification

Post-incident: root-cause analysis, remediation, customer-facing post-mortem within 30 days, and disclosure of structural changes incorporated into subsequent audit cycles.

08Sub-processors & Vendors

Material sub-processors are listed in the engagement DPA. Categories of vendors include cloud infrastructure, payment processing, identity verification, and customer communication. All sub-processors operate under data-processing agreements with confidentiality, security, and compliance flow-down obligations. Customers receive notice of material changes per contract.

09Vulnerability Disclosure

If you discover a security vulnerability, please disclose responsibly:

Email: security@teehooai.com
Encrypted transport: a PGP public key will be published at teehooai.com/.well-known/security.txt before the public bug-bounty launch. In the interim, sensitive material may be sent in plaintext to the security mailbox; we will provide a one-time key for encrypted follow-up upon initial acknowledgment.
Response: initial acknowledgment within 48 hours; resolution timeline communicated per severity.
Safe harbor: we will not pursue legal action against good-faith researchers acting within the scope of this policy. No public disclosure during the remediation window.
Bug bounty: formal program in design; we will publish scope, rewards, and PGP fingerprint when launched.

10Business Continuity & Backup

We operate the platform with continuity targets sized to the contractual commitments in the engagement contract. Default architectural posture:

11Contact