Security Overview
Teela is built on the principle that your data is yours. As a multi-tenant SaaS platform that connects to your databases for natural-language analytics, security is foundational to every layer of our architecture. This document provides an overview of Teela's security posture for IT teams and security professionals evaluating the platform.
Security Philosophy
Teela's security program is guided by three core principles:
- Defense in depth. No single control is relied upon in isolation. Multiple overlapping safeguards protect data at every tier of the stack, from network transport to application logic to cryptographic storage.
- Least privilege. Every user, service, and connection operates with the minimum permissions necessary to perform its function. Database connections are read-only. Users see only the connections assigned to them. Administrative capabilities are scoped by role.
- Data isolation. Customer data stays in customer databases. Teela does not copy, replicate, or warehouse your data. Credentials and metadata are encrypted with dedicated per-connection keys and isolated at the application layer through multi-tenant scoping.
Architecture Overview
Teela is a multi-tenant SaaS platform hosted on Microsoft Azure:
| Component | Technology | Hosting |
|---|---|---|
| Backend API | Python / Flask | Azure App Service |
| Frontend | React (TypeScript) | Azure Static Web Apps |
| Application Database | MySQL | Azure-managed MySQL |
| Customer Databases | SQL Server, MySQL, PostgreSQL, Google Sheets, Excel, CSV | Customer-hosted or third-party |
| Vector Database | Qdrant | Managed instance |
| Error Monitoring | Sentry | Centralized logging |
All communication between components is encrypted with TLS 1.2 or higher. The backend enforces strict CORS whitelisting, security headers, and CSRF protection on every request. The frontend is built with strict TypeScript and sanitizes all rendered content with DOMPurify.
Data Handling Model
Teela's approach to customer data is fundamentally conservative:
- Customer data stays in customer databases. Teela queries your databases in real time and returns results directly. Your data is not copied into Teela's infrastructure.
- Read-only access. Teela connects to customer databases with read-only permissions. It cannot insert, update, or delete records in your systems.
- Encrypted credentials. All database connection credentials are encrypted at rest using AES-256-GCM with Argon2id key derivation. Credentials are never exposed in plaintext outside of the active connection context.
- File uploads are the exception. When users connect file-based sources (Google Sheets, Excel, CSV), the data is cached locally in an isolated SQLite database scoped to that connection. This is the only scenario in which customer data resides on Teela infrastructure.
For full details on data handling, classification, and privacy controls, see Data Protection.
Security Domains
Teela's security controls span four primary domains, each documented in detail:
Access Control
Role-based access control (RBAC) with four distinct roles, connection-level authorization, multi-factor authentication via Passkeys (WebAuthn/FIDO2), and configurable password policies including account lockout and expiration. Authentication uses token-based API keys with bcrypt hashing and automatic expiration.
Encryption
AES-256-GCM encryption for all sensitive data at rest, TLS 1.2+ for all data in transit, Argon2id key derivation, and per-connection encryption of schema metadata and training data. Tiered data exposure levels ensure credentials are never displayed in plaintext outside of system-level operations.
Data Protection
Data classification (Confidential, Internal, Public), input validation via Pydantic and parameterized queries, XSS and CSRF protection, file upload validation, GDPR data subject rights support, and multi-tenant isolation scoped by client and connection identifiers.
Slack Integration
When your client admins connect a Slack workspace, Teela stores the bot OAuth token encrypted at rest with the same AES-256-GCM envelope encryption used for database credentials. Every incoming request from Slack is verified against the Slack signing secret before Teela processes it. User authentication relies on matching the user's Slack profile email against their Teela account email, so anyone without the matching login cannot impersonate them.
Policy Review Cadence
| Review | Frequency |
|---|---|
| Security policy review | Annual |
| Access reviews | Quarterly |
| Encryption key rotation | Annual (immediate if compromised) |
| Incident response plan testing | Annual |
| Password policy evaluation | Annual |
Security Inquiries
For security-related questions, to request a copy of Teela's security documentation, or to report a vulnerability, contact the Teela security team at security@teela.com.