SECURITY & DATA RESIDENCY · v1.1 · MAY 2026

Where the data lives, who can see it, and what we do to keep it safe.

Teho is a UK-based service handling team-level operational data. The security posture is calibrated to that.

← Back to teho.ai Visit the Trust Centre

Status: Public security summary aligned to Teho's Trust Centre source model. Deployment-specific subprocessors, data categories, regions, and transfer mechanisms are named before contract signature.

Data residency

The Activity Analysis baseline runs on UK-hosted managed cloud infrastructure, including Google Cloud services in UK regions for API/worker execution, event/configuration data, object storage, and runtime secrets.

Where a deployment enables optional evidence paths, such as screenshots, semantic evidence, or LLM classification, the relevant vendor, data category, region, and transfer mechanism are named in the deployment-specific subprocessor list and DPA. Clients can disable screenshot capture or request a deployment path without LLM classification where required.

Encryption

In transit: TLS 1.3 for all interfaces; mTLS between internal services.
At rest: managed cloud encryption for databases and object storage.
Secrets: runtime credentials are managed through secret-management tooling rather than source control.

Access

Engagement data is accessible only to the named Teho team for that Study. Ingest, reporting, and admin endpoints require authenticated tokens; administrative and service actions are audit logged.

Operational controls

Protected service layer

Ingest, reporting, and admin endpoints are rate-limited, payload size caps are enforced, and service access requires authenticated tokens.

Deployment controls

Device-scoped tokens can be bound to a specific device and deployment. Scope and removal are managed through the client's deployment tooling.

Recoverability

The production baseline includes monitoring, alerting, automated database backups, point-in-time recovery, and storage lifecycle controls.

Config governance

Capture policy, privacy guard rules, screenshot mode, semantic policy, and retention settings are reviewable and agreed before rollout.

Incident response

24-hour breach notification to client sponsors, in writing. Defined incident-response runbooks; on-call rotation. Post-incident reports include root cause and remediation, shared with affected clients without redaction.

Audit reports

Security questionnaires, subprocessor lists, deployment field references, and data-flow summaries are shared during scoping and onboarding. Public Trust Centre materials explain the control model at summary level; client-specific deployment materials define the actual controls for a Study.

Contact

Security questions and vulnerability disclosure: security@teho.ai. Privacy questions: info@teho.ai.