Skip to Content
DocumentationSecurity — Data Collection, Encryption & Privacy

Security

Data Collection Principles

Tandemu captures session metadata, not content.

What is collected:

  • Session duration (task start to finish)
  • Line counts (AI-generated vs manual)
  • File paths involved in friction events
  • Tool usage patterns and success rates
  • Task completion data (cycle time, commit counts)

What is NOT collected:

  • Prompt content (what the developer asked Claude)
  • Source code or file contents
  • Keystrokes or typing patterns
  • Screen recordings or screenshots
  • Idle time or break tracking

Developers see the same data their leads see. There is no hidden dashboard or additional data visible only to management.

Authentication & Authorization

JWT Authentication

All API requests are authenticated with JWT tokens. Tokens are issued during the /tandemu:setup flow and expire after 30 days.

  • Tokens are stored locally in ~/.claude/tandemu.json
  • Re-authentication is handled by re-running /tandemu:setup
  • The JWT secret is configurable via JWT_SECRET environment variable — change this in production

Role-Based Access Control

RoleDashboardManage TeamsManage IntegrationsInvite MembersDelete Org
OwnerYesYesYesYesYes
AdminYesYesYesYesNo
MemberYesNoNoNoNo

Row-Level Security

PostgreSQL Row-Level Security (RLS) enforces tenant isolation at the database level. Every query is scoped to the current organization via SET LOCAL app.current_tenant. This means a bug in the application code cannot leak data across organizations.

Data Encryption

At Rest

  • Integration API tokens (Jira, Linear, ClickUp, GitHub, Asana, monday.com) are encrypted using AES-256-GCM before storing in PostgreSQL. Set ENCRYPTION_KEY in your environment.
  • Database encryption depends on your infrastructure (disk-level encryption is recommended for production)

In Transit

  • HTTPS is recommended for all production deployments
  • Configure a reverse proxy (nginx, Caddy, or Traefik) in front of the Docker Compose stack

JWT Signing

Tokens are signed with a configurable secret. The default (change-me-in-production) is not secure — always set a strong JWT_SECRET in production.

Data Residency

Self-Hosted

All data stays on your infrastructure. The Docker Compose stack has no external dependencies — no analytics, no tracking, no phone-home behavior. Telemetry, memories, and application data never leave your network.

Cloud (tandemu.dev)

Data is stored on managed infrastructure. Contact us for specific data residency requirements.

Integration Security

  • Minimal permissions — Tandemu reads task metadata only (titles, statuses, assignees). It does not access source code, pull requests, or repository contents.
  • Encrypted storage — API tokens are encrypted at rest (AES-256-GCM)
  • Real-time proxying — Task data is fetched live from your ticket system on each request. Tandemu does not cache or store task data.
  • Scoped access — Each integration is scoped to an organization. Team-project mappings control which tasks are visible to which teams.

Memory Privacy

  • Per-user isolation — Memory is scoped by user ID in the MCP URL. Each developer has their own memory space.
  • Personal memories are private — Only the author can see personal memories.
  • Organization memories are gated — Org memories start as drafts (visible only to the author) and are promoted to published when a task completes via /finish. Admins can review and manage org memories from the dashboard.
  • No secrets stored — The memory system is designed for coding patterns, preferences, and decisions. Secrets, tokens, and passwords are never stored.
  • Self-hosted storage — When self-hosted, memories are stored in Qdrant on your infrastructure.

Production Hardening Checklist

For self-hosted deployments:

  • Change JWT_SECRET to a strong random value
  • Set ENCRYPTION_KEY for API token encryption
  • Enable HTTPS via a reverse proxy (nginx, Caddy, or Traefik)
  • Restrict CORS_ORIGIN to your frontend URL
  • Configure firewall rules — only expose ports 3000 (frontend) and 4317/4318 (OTEL) as needed
  • Set up regular PostgreSQL backups
  • Set up regular Qdrant backups (memory data)
  • Review ClickHouse data retention and add TTLs if needed

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing security@tandemu.dev. We take all reports seriously and will respond promptly.

Last updated on
FAQ — Frequently Asked QuestionsTroubleshooting — Common Issues & Fixes