# Understanding TeamWins Security Model
TeamWins keeps security simple: every teammate joins as a Member, a small set of trusted folks get Reviewer access to verify outcomes, and only a handful of Admins can change settings or invite others. Below is a practical way to maintain the principle of least privilege inside your workspace.
---
Core Role Permissions
Member (default)
- Submit assists, earn points, and claim perks
- View their own activity, team leaderboards (unless anonymized), and shared dashboards
- No access to workspace settings, billing, or approval queues
Reviewer (assign sparingly)
- Everything a Member can do
- Approve or request changes on outcome steps in the Approvals queue
- Approve perk claims that require manual review
- Cannot edit workspace settings, change roles, or see billing
Admin (limit to a few people)
- Manage workspace configuration (Settings → Workspace → Advanced)
- Invite, remove, and promote teammates (Admin → Members)
- Configure perks, approvals, and billing/plan details
- Access the full admin dashboard and exports
---
Recommended Reviewer Practices
- Align reviewers with their function (e.g., sales managers for sales outcomes, HR for hiring).
- Keep reviewer lists short and name a fallback reviewer for coverage.
- Review the Approvals queue frequently, leave notes when requesting rework, and avoid approving your own submissions.
- Escalate suspicious or out-of-scope items to an Admin instead of overriding policy.
Illustrative Ratios
- Large team (~50 contributors): 1–2 reviewers per function
- Mid-size function (~20 collaborators): 1 reviewer, 1 backup
- Small group (<15 people): 1 reviewer is typically enough
---
Quarterly Access Review
Set a recurring reminder to confirm permissions stay accurate:
- Audit users: Export the member list, remove anyone who left the company or has been inactive for ~60 days.
- Validate roles: Confirm reviewer assignments still match job duties, and reduce reviewer counts where possible.
- Check admins: Keep admin access to the bare minimum (usually 1–3 people).
- Document changes: Keep a short log of what changed and why (include date, reviewer, and action taken).
Template
Quarterly Access Review – Q[X] [Year] Date: [Date] Reviewer: [Admin Name]
Updates: • Removed: [Name], reason • Role changes: [Name] → [Role], reason • New reviewers/admins: [Names], reason
Notes: • [Any findings or follow-up tasks]
Next review due: [Date + 3 months]
---
Workspace Settings That Help Security
Visit Settings → Workspace → Advanced to tune access and discovery:
- Incognito mode: Hide the workspace from public discovery; only invite links or admin-approved join requests work.
- Auto-approve join requests: Leave this off if you want admins to vet every new teammate.
- Auto-approve outcomes / perks: Use cautiously. Auto-approve only low-risk outcomes or perks; keep manual review when a human check is important.
- Leaderboard anonymity: Allow individuals to hide their names, or enforce anonymity for the entire workspace.
---
Handling Issues Quickly
If something looks off — strange approvals, unexpected login activity, or a compromised account:
1. Demote or remove the account immediately (Admin → Members). 2. Reset passwords via your company’s identity provider (TeamWins supports email/password or SSO). 3. Check recent approvals/perk claims for anomalies and revoke points if needed. 4. Document what happened and reach out to Support (hello@teamwins.co) if data access might have occurred.
---
Day-to-Day Security Habits
- Keep reviewer lists lean and aligned with current responsibilities.
- Remove or demote people who leave a function or the company immediately.
- Leave auto-approve features off by default — turn them on only when clearly low-risk.
- Encourage everyone to use strong passwords or SSO and to report suspicious activity immediately.
---
Applying these — keeping Members as the default, assigning Reviewers intentionally, and limiting Admins — keeps your TeamWins workspace secure without slowing down collaboration.
