Security & Privacy

SSO, SCIM, audit logs, data residency options, and DPAs for enterprise.

# TeamWins Privacy & Safety Framework

TeamWins runs on a modern stack — frontend on Vercel, data services on Supabase, and infrastructure hosted on AWS systems in the European Union. Here’s how that combination keeps customer data private, compliant, and resilient.

---

1. Hosting Footprint

Application Delivery

  • Vercel serves the web app over HTTPS with automatic TLS and global CDN caching, ensuring end-to-end encryption.
  • Cached assets never contain customer secrets.

Data Layer

  • Supabase (PostgreSQL + storage + auth) is provisioned in AWS EU regions.
  • Databases, storage buckets, and serverless functions stay within the EU boundary, meeting GDPR data-location requirements.

Edge Functions

  • Approval and notification workloads execute via Supabase Edge Functions in EU regions, reducing data travel while keeping response times fast.

---

2. Data Protection Controls

  • Encryption Everywhere: TLS 1.2+ for data in transit and AES-256 encryption at rest (managed by Supabase/AWS). Object storage uses signed URLs that expire automatically.
  • Row Level Security (RLS): Every table in Supabase is protected with RLS policies. Users only access records tied to their workspace and role—no shared “superuser” keys in the browser.
  • Secrets Management: Environment variables (API keys, service tokens) are stored securely in Vercel/Supabase secret stores.
  • Daily Snapshots & Point-in-Time Recovery: Supabase maintains continuous backups, enabling restores to any point in time to prevent data loss.

---

3. Role-Based Access & Safety Features

  • Role Hierarchy: Admins, reviewers, and members each have scoped permissions enforced by Supabase policies.
  • Least Privilege in the App: UI routes verify both the workspace role and Supabase session claims before showing sensitive panels (e.g., Admin → Members or Approvals).
  • Audit-Friendly Approvals: Every approval or perk decision logs timestamps, reviewer IDs, notes, and status changes for compliance visibility.
  • Anonymity Controls: Workspaces can force leaderboard anonymity or allow users to opt in individually.

---

4. Incident Readiness

  • Monitoring & Alerting: Supabase logs, Vercel analytics, and error reporting run continuously. Any spikes or failures trigger alerts to the ops team.
  • Backup & Rollback Plan: Policy scripts and database migrations are version-controlled. Corruptions can be rolled back using backup snapshots.
  • Security Reviews: All code paths touching PII (e.g., profile data, emails) undergo extra review. Supabase edge functions and RLS policies are tested with integration and unit tests.

---

5. User & Admin Controls

  • Profile Management: Users can download or update profile details, swap avatars, change language, or opt for anonymity directly from their Account settings.
  • Notification Preferences: Users control email toggles (approvals, rewards, weekly digest) and future push notifications for more personalized communication.
  • Workspace Governance: Admins manage members, reviewer roles, and approval automation via Admin → Members and Settings.

- Join requests are logged, notifications sent, and dormant accounts can be revoked instantly.

---

6. Data Lifecycle & Compliance Support

  • Retention: Operational data (contributions, approvals, perk claims) remains active while the workspace is active. Admins can request exports or deletions in line with GDPR.
  • Access Requests: The support team can process verified exports or deletions upon admin request, with all actions logged for auditability.
  • Vendor Posture: Both Vercel and Supabase hold SOC 2, ISO 27001, and GDPR-compliant certifications.

Their shared responsibility model ensures infrastructure-level compliance while TeamWins manages application-level policies.

---

7. Best Practices for Customers

  • Enforce Least Privilege: Assign Reviewer and Admin roles intentionally; rotate privileges when people change teams.
  • Configure Approvals Wisely: Use auto-approve only for low-risk perks or outcomes — all approvals are logged for audits.
  • Review Notification Digests: Use daily/weekly digests to stay on top of pending approvals and join requests.
  • Handle Exports Carefully: Store exported contributions or perk logs securely—they may include PII or financial data.
  • Contact Support Quickly: For data subject requests, suspected compromise, or security issues, email hello@teamwins.co.

The ops team has rollback and snapshot tools ready to assist.

---

By blending Vercel’s secure delivery, Supabase’s zero-trust policies, and EU-based AWS hosting, TeamWins delivers a privacy-forward collaboration platform without sacrificing speed or usability.

If you need deeper compliance documentation or custom data residency options, reach out to Support — enterprise add-ons like SSO, SCIM, and audit logs are available through our enterprise program.

EncryptionEncryption in transit & at rest
SSOGDPREU/US data residencyPowered by Vercel & Supabase