01Compliance Substrate
Four architectural commitments form the operational substrate every engagement inherits:
Full Audit Logs
Lifecycle traceability across every sensitive operation — access, modification, export — retained per contract and regulatory requirements.
Data Isolation
Tenant-bound, network-segregated storage. Customer data does not commingle across engagements. No shared-database multi-tenancy for sensitive workloads.
Jurisdiction Scoping
Engagements bound to a specific geographic posture via contract. China-only engagements stay on Tencent Cloud China region; global engagements per scope.
Permission Routing
Tier-gated access control. Operators see only the scope authorized for their tier and engagement. Default-deny; explicit grant per role.
02Certifications & Frameworks
We disclose certification status accurately. Frameworks marked "alignment in progress" are not yet awarded; we will update this page when audits complete.
"Aligned" = our architecture and operations conform to the framework's requirements. "In Progress" = active engagement with auditors, certificate not yet issued. We do not claim certifications we have not earned.
03Data Residency
Data residency is bound by engagement contract:
- China-resident engagements — Tencent Cloud China region. No cross-border egress for processing or storage.
- Global engagements — primary infrastructure scoped per contract (AWS / GCP regions disclosed at contracting).
- Cross-border transfers — governed by Standard Contractual Clauses (where applicable) or jurisdiction-specific equivalents.
04Access Control
- SSO with major identity providers (Google, LinkedIn, Apple) for user authentication.
- Password-less primary flow via email magic link; no password storage.
- Multi-factor authentication available; required for elevated roles.
- Tiered role-based access (Expert tiers L1-L4 / Customer / Admin / Operator) with default-deny.
- Quarterly access review for elevated roles; offboarding within 24 hours of role change.
05Encryption
- TLS 1.2+ for all data in transit; HSTS enforced site-wide.
- AES-256 encryption at rest for all customer data and Expert work product.
- Key management via cloud KMS with rotation per policy.
- Sensitive engagement payloads support customer-managed keys (CMK) on request.
06Audit & Logging
Audit logs capture:
- Authentication events (sign-in, sign-out, failed attempts).
- Authorization decisions (access granted, access denied, tier escalation).
- Data operations (read, write, export, delete) on sensitive tables.
- Administrative actions (role assignment, permission change, tenant configuration).
Logs are immutable, retained per regulatory requirement, and exportable to customers under contract.
Testing & assurance cadence
- Quarterly internal vulnerability scanning across application, infrastructure, and dependency surfaces (SAST, DAST, SCA).
- Annual third-party penetration testing of the production environment, including web application, API, and authentication paths.
- Continuous secret & dependency scanning on every commit via CI.
- Annual access review of all elevated roles; quarterly review of customer-tenant access.
- Penetration-test summary reports and scan attestations are available to enterprise customers under NDA on request to security@teehooai.com.
07Incident Response
We maintain an incident response process with defined severity levels and notification timelines:
- P0 (Critical) — customer notification within 24 hours; regulator notification per requirement.
- P1 (High) — customer notification within 72 hours.
- P2 / P3 — incorporated into monthly customer reports.
Regulatory breach notification
- GDPR Art. 33 / UK GDPR Art. 33. For engagements where Teehoo AI acts as a processor and the customer is a controller subject to EU / UK GDPR, we notify the controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach. Notification includes the categories and approximate number of data subjects affected, the categories and approximate number of records affected, likely consequences, and remediation measures taken — providing the controller the information needed to meet its own 72-hour regulator notification obligation.
- GDPR Art. 34. Where direct communication to data subjects is required, Teehoo AI supports the controller in drafting and dispatching the notice.
- CCPA / CPRA. Affected California residents are notified consistent with California Civil Code §1798.82; the California Attorney General is notified where the breach affects more than 500 California residents.
- PIPL / DSL. For China-region engagements, we notify the controller and (where required) the relevant supervisory authority on the timeline mandated by Articles 57 of PIPL and equivalent DSL provisions.
- State / sectoral law. US state and sectoral breach-notification laws (HIPAA, GLBA, etc.) are followed where applicable to a specific engagement.
Post-incident: root-cause analysis, remediation, customer-facing post-mortem within 30 days, and disclosure of structural changes incorporated into subsequent audit cycles.
08Sub-processors & Vendors
Material sub-processors are listed in the engagement DPA. Categories of vendors include cloud infrastructure, payment processing, identity verification, and customer communication. All sub-processors operate under data-processing agreements with confidentiality, security, and compliance flow-down obligations. Customers receive notice of material changes per contract.
09Vulnerability Disclosure
If you discover a security vulnerability, please disclose responsibly:
Encrypted transport: a PGP public key will be published at teehooai.com/.well-known/security.txt before the public bug-bounty launch. In the interim, sensitive material may be sent in plaintext to the security mailbox; we will provide a one-time key for encrypted follow-up upon initial acknowledgment.
Response: initial acknowledgment within 48 hours; resolution timeline communicated per severity.
Safe harbor: we will not pursue legal action against good-faith researchers acting within the scope of this policy. No public disclosure during the remediation window.
Bug bounty: formal program in design; we will publish scope, rewards, and PGP fingerprint when launched.
10Business Continuity & Backup
We operate the platform with continuity targets sized to the contractual commitments in the engagement contract. Default architectural posture:
- Recovery Time Objective (RTO). 24 hours for full restoration of platform-level services from a regional outage; engagement-specific RTO may be tightened per contract.
- Recovery Point Objective (RPO). 4 hours for transactional data; engagement-specific RPO may be tightened per contract.
- Backup cadence. Continuous transaction-log shipping for primary databases; daily full snapshot retained 30 days; weekly cold archive retained 12 months. Backup integrity is validated by automated restore drills.
- Geographic redundancy. Production data is replicated across at least two availability zones within the engagement's bound region. Cross-region replication is enabled only where the engagement contract authorizes it (cross-border posture per §03 Data Residency).
- Backup encryption. Backups inherit the at-rest encryption posture of the primary store (AES-256 with KMS-managed keys); cold-archive backups are stored in immutable, write-once buckets to resist ransomware.
- DR exercise. Annual disaster-recovery tabletop exercise; restore-from-backup validation at minimum quarterly. Results are summarized to enterprise customers under NDA on request.
- China-region engagements. Backup posture is mirrored on Tencent Cloud China region with no cross-border egress; same RTO / RPO targets apply.
11Contact
- Security disclosures: security@teehooai.com
- Compliance & audits: compliance@teehooai.com
- Privacy: privacy@teehooai.com
- General legal: legal@teehooai.com