Security and Privacy
Teckel AI is built with enterprise security requirements in mind. This document outlines our security practices, data handling, and third-party services.
Infrastructure
Hosting: US-based cloud infrastructure via AWS (through Vercel and Supabase)
Encryption:
- All data encrypted in transit using TLS 1.2+
- All data encrypted at rest using AES-256
Authentication and Access Control
Identity Management: Powered by WorkOS
- Enterprise SSO support (SAML, OIDC)
- Directory sync with identity providers
- Multi-factor authentication (MFA)
- Session management with secure token handling
Authorization:
- Role-based access control (Owner, Admin, Member)
- Organization-level data isolation
- API keys scoped to individual organizations
- Invitation-based team member onboarding
Data Isolation
Your data is strictly separated from other customers:
- Row-Level Security (RLS): PostgreSQL policies enforce data isolation at the database level. Every query is automatically scoped to your organization.
- Organization Scoping: All API requests are validated against your organization membership before any data access.
- API Key Isolation: Each API key is bound to a single organization and cannot access other organizations' data.
API Security
Authentication:
- API keys are hashed using SHA-256 before storage
- Keys are never stored in plaintext and cannot be retrieved after creation
- Keys can be revoked instantly from the dashboard
Request Validation:
- Schema validation on all API inputs
- Request size limits to prevent abuse
- Content-type enforcement
Rate Limiting:
- Per-key rate limits prevent abuse
- Graduated limits based on plan tier
- Automatic retry headers for SDK integration
CSRF Protection:
- Origin validation on all state-changing requests
- Secure session cookies with SameSite attributes
Data Privacy
Your Data, Your Ownership:
- You retain full ownership of all data you submit to Teckel
- We do not sell, share, or monetize customer data
- Data is used solely to provide and improve our services to you
Data Portability:
- Request complete data deletion upon account closure
Data Retention
Retention periods depend on your plan:
| Plan | Retention |
|---|---|
| Starter | 30 days |
| Growth | 90 days |
| Enterprise | Custom (up to indefinite) |
Enterprise customers can configure custom retention policies and request early deletion.
SDK Security
The Teckel SDK is designed for production environments:
- Non-blocking: Trace submission never blocks your application's critical path
- Graceful degradation: If Teckel is unreachable, your application continues normally
- Timeout protection: Configurable timeouts (default 5 seconds) prevent hanging requests
- No sensitive data logging: SDK debug mode never logs API keys or sensitive payloads
Subprocessors
Teckel may be using the following third-party services to support our platform:
| Service | Purpose | Data Processed |
|---|---|---|
| Vercel | Application hosting | Request logs, application state |
| Supabase | Database hosting | All trace data, organization data, user profiles |
| WorkOS | Authentication and identity | User emails, names, organization memberships |
| Modal | ML model hosting and subprocessing | Classifier training data |
| OpenAI | Embeddings and AI evaluation | Queries, responses, document chunks |
| Anthropic | AI evaluation | Queries, responses, other SDK sent data via Teckel Analyst |
| Google Cloud | OAuth, Drive connector | Queries, responses, connected Drive file metadata |
| Stripe | Payment processing | Billing information, payment methods |
| Sentry | Error monitoring | Application errors |
| Upstash | Rate limiting | Redis |
| Slack | Notifications connector | Daily recap summaries (when configured) |
| Resend | Communications | Sending emails to you |
Security Best Practices for Customers
API Key Management:
- Store API keys in environment variables, never in code
- Use separate keys for development and production
- Rotate keys periodically and revoke unused keys
- Never expose keys in client-side code or public repositories
Data Minimization:
- Only send data necessary for your use case
- Avoid including PII in traces unless required for your evaluations
- Use session IDs instead of user identifiers when possible
Contact
Security Concerns: Report vulnerabilities or security issues to support@teckel.ai
We take all security reports seriously and will respond ASAP.