Security at Teamtastic

Your workspace is invite-only by default. Every API request is scoped to your organization so data does not leak across tenants.

Access and roles

• Email invites with expiring tokens; accounts are locked to the invited address
• Three roles: Director (org owner), Manager, and Member, enforced on every endpoint
• Members execute work; Directors configure integrations, wiki policy, and org-wide feature flags

Marketing site (teamtastic.net)

• Static pages served over HTTPS with security headers (strict CSP without inline scripts, HSTS, frame protection, nosniff)
• Aggregate analytics via Google Analytics only; no ad networks. See Privacy Policy, cookies
• No workspace data is stored on the marketing site

Data protection

• TLS in transit; HttpOnly session cookies
• Passwords hashed with bcrypt; optional SSO where your org enables it
• File uploads via time-limited signed URLs to Cloudflare R2
• Outbound webhooks signed with HMAC; inbound webhooks validated before delivery
• Rate limiting on sensitive endpoints such as login and invite acceptance

AI and third parties

AI features are opt-in per user or org. When enabled, only the context needed for that action (for example a task title or thread summary) is sent to our model provider. We do not train models on your workspace content. Integration credentials (webhook secrets and inbound email tokens) are stored encrypted and can be rotated from Settings.

Full legal detail is in our Privacy Policy. Report a concern: security@teamtastic.net.