Security
Security practices for TeamlyApp authentication (Google Sign-In, email/password, magic links), client portals, tracking signals, approvals, and exports.
Security mindset
TeamlyApp is built for sending client-ready documents via portals. We focus on practical controls that make sharing predictable and manageable.
We take reasonable and appropriate steps to protect user data in transit and at rest and to reduce the risk of unauthorized access, use, alteration, disclosure, or destruction.
Encryption in transit and at rest
- Encrypted connections (HTTPS/TLS) are used to protect data in transit between your device and TeamlyApp.
- We use encryption at rest for stored data where supported by our infrastructure and vendors, including backups where applicable.
Authentication and account security
TeamlyApp supports email/password sign-in, email magic links, and third-party sign-in (such as Google Sign-In). Application secrets and OAuth credentials are kept confidential and are not exposed in client-side code.
- Password handling: passwords are stored using strong, salted, one-way hashing (we do not store plaintext passwords).
- Magic links: sign-in links are intended to be short-lived and should be treated like credentials. Do not forward them.
- Session protection: sessions are managed using secure cookies and appropriate cookie settings where supported.
- Abuse prevention: we use reasonable safeguards such as rate limiting and monitoring to reduce brute-force attempts and suspicious sign-in activity.
- Access control: internal access to production systems is limited to authorized personnel and follows least-privilege principles.
- Administrative security: we use strong authentication controls (such as multi-factor authentication) for accounts that access production infrastructure.
Google Sign-In and Google OAuth data handling
If you sign in with Google, TeamlyApp requests only the minimum permissions needed to authenticate you.
We do not access Gmail, Google Drive, Google Calendar, or other Google services unless you explicitly connect them and grant additional permissions in context.
- Token handling: OAuth tokens (when used) are stored and transmitted securely, and access is restricted.
- Scope minimization: we avoid requesting permissions that are not required to deliver product functionality.
- Change control: if we expand the Google data we access, we will update our disclosures and request consent where required before using Google user data in a new way.
Portal access controls
- Password protection (when enabled).
- Expiry controls (when enabled).
- Ability to replace or update share links as your process changes.
- Optionally limit portal exposure by sharing only with intended recipients and using unique links per client/workflow where applicable.
Tracking signals
If you enable tracking, TeamlyApp records activity signals (like opens) to help you follow up with better timing.
Tracking is optional and should be used responsibly. You are responsible for providing any disclosures required by your policies and applicable laws to your recipients.
Operational security
- Logging and monitoring: we maintain logs to help detect abuse, troubleshoot issues, and support security investigations.
- Vulnerability management: we work to keep dependencies and systems updated and address security issues in a timely manner.
- Incident response: we investigate suspected security incidents and take steps to contain and remediate issues. Where required, we provide appropriate notifications.
Export-first ownership
You can export PDFs anytime so your documents and project history remain portable.
Responsible disclosure
If you believe you’ve found a security issue, email support@teamlyapp.com with details so we can investigate.