Data Location

EU Only

Azure France Central

Encryption

AES-256

At rest & TLS 1.3 in transit

Authentication

OAuth 2.0

Google & Microsoft

Infrastructure

Azure

Managed services

Version 1.1
Updated Apr 2026

Compliance & Certification Status

Current security and compliance posture

GDPR Compliance
Operational
EU AI Act Alignment
Aligned
ISO 27001 Certification
Audit Q4 2026
SOC 2 Type II
Planned H1 2027

Teneks Security White Paper

Version 1.1 – April 2026
security@teneks.ai

Executive Summary

Teneks provides AI‑powered Live‑Call Assistance and Post‑Call Analysis for sales and customer‑success teams. Data is processed and stored in the EU (Azure France Central with backups in West Europe). Core controls include TLS 1.3 transport security, AES‑256 at rest, RBAC with OAuth (Google/Microsoft), strict logging without PII, and enforced data retention with deletion. This document summarises architecture, controls, and shared responsibilities.

Scope & Audience

This white paper covers application architecture, data handling, identity and access, logging/monitoring, backup/DR, incident response, and compliance roadmap. It is intended for security reviewers, procurement teams, and legal/privacy stakeholders. Staging and production are separate environments; customer data exists only in production.

High‑Level Architecture

sequenceDiagram
  actor User
  participant FE as Browser (Front-End)
  participant WS as WebSocket API (Azure Container Apps)
  participant BE as App API (Azure Container Apps)
  participant Blob as Azure Blob Storage (France Central)
  participant DB as Azure Postgres (Managed)
  participant L1 as LLM-Lite (Azure Container)
  participant L2 as LLM-Heavy (Azure Container)

  User->>FE: Web GUI / OAuth
  User->>FE: Audio stream
  FE->>WS: WebSocket audio chunks
  WS->>L1: real-time guidance
  WS->>Blob: write raw audio
  WS->>DB: log endpoint event
  BE->>L2: batch summary
  L2->>Blob: read audio, write transcript
  BE->>Blob: delete raw audio (retention ≤ 30 days)

Production and staging environments are fully segregated in separate Azure subscriptions.

End‑to‑End Data Flow

StageLive‑Call AssistancePost‑Call Analysis
IngestBrowser captures mic audio → WebSocket → Container AppAudio file uploaded manually or pulled from customer CRM via HTTPS
Process (real‑time)LLM‑Lite (< 1 B parameters) produces guidance tokensN/A
StoreRaw audio → Blob; endpoint log → PostgresRaw audio → Blob
Process (batch)LLM‑Heavy summarises & scores after call endLLM‑Heavy summarises & scores on receipt
Delete raw audioazcopy remove after summary (≥ 30 days default)Same
PersistTranscript + analytics JSON in Blob & PostgresTranscript + analytics JSON

Network Security Controls

  • Edge protection – Cloudflare WAF and DDoS protection front the application; public ingress is filtered by Cloudflare.
  • Workloads – Azure Container Apps host front-end APIs and WebSocket services.
  • Database access – Azure Postgres is restricted via IP firewall rules to a limited, controlled set of egress addresses from the backend. Private Endpoints are supported and planned for future hardening.

Encryption & Key Management

  • Transport – HTTPS (& WebSocket-over-TLS) with modern cipher suites; TLS 1.3 preferred, TLS 1.2 accepted for legacy clients.
  • At rest – AES-256 on all Azure Storage and database volumes.
  • Key storage – Microsoft-managed keys in Azure Key Vault; customer-managed keys (CMK/BYOK) under review for the roadmap.
  • Rotation – Platform keys auto-rotated by Azure; application secrets rotated quarterly.
  • Audio playback access – Stored audio files are protected by time-limited Azure SAS (Shared Access Signature) tokens, valid for 5 minutes. Tokens are generated per-request and scoped to the specific resource, preventing unauthorized access or sharing.

Identity & Access Management

  • Authentication – OAuth 2.0 / OIDC with Google and Microsoft.
  • Roles – User → Manager → Admin hierarchy scoped to organisation.
  • Sessions – Short-lived JWT (30 min) with refresh; tokens can be revoked.
  • Privileged access – Designated security officer via just-in-time, time-bound Azure role with MFA and full audit trail.
  • Customer data access – Customer content (audio, transcripts, analytics) is accessible only to the customer’s own organisation users (per role), the Teneks Founder/CEO (admin/support) and any designated NDA‑bound account manager. Teneks employees do not have access to customer content data.

Data Classification & Handling

ClassExamplesAccessStorageLogging
RestrictedAudio, transcripts, analytics derived from conversationsEnd users in same organisation (role\u2011based); Teneks Founder/CEO (admin/support); designated NDA\u2011bound account manager (if assigned)Blob + Postgres (EU)No PII in logs; only IDs
InternalConfiguration, anonymised usage metrics (feature usage, page views, session durations)Teneks operations; org admins where applicablePostgresFully aggregated & anonymised; zero re\u2011identification (Recital 26)
PublicMarketing site contentEveryoneN/AN/A

Important: Teneks employees do not have access to Restricted data (audio recordings, transcripts or conversation analytics). Only the customer\u2019s own organisation users (per role), the Teneks Founder/CEO and any designated NDA\u2011protected account manager may access Restricted data. Technical infrastructure access is limited to system administrators who can view only anonymised metadata for operational purposes.

Usage data vs. customer content data: For platform improvement we use only fully anonymised and aggregated usage data (how users interact with the platform interface). Customer content data is never used for platform improvement, analytics or shared with third parties.

Logging & Monitoring

Application layer logs each authenticated call:

(user_id UUID,
 path TEXT,
 status_code INT,
 activity_time TIMESTAMP,
 duration FLOAT)
  • Stored in Postgres; indexed by (user_id, activity_time).
  • No PII in logs; access limited to system administrators; quarterly audit of access and query history.
  • Infrastructure logs (WAF, Container Apps) retained 30 days in Azure Monitor with export to Blob for 90 days.

Secure SDLC

  • Dependency and container vulnerability scanning in CI/CD.
  • Code review on all changes; infrastructure as code for environment consistency.
  • Secrets scanning; SBOM and pinning where practical.

Vulnerability Management SLAs

SeverityRemediation target
Critical72 hours
High7 days
Medium30 days
Low90 days

Backup & Disaster Recovery

ItemMechanismRPORTO
Blob StorageDaily encrypted snapshot → West Europe (GRS)24 h< 12 h
PostgresAzure automated backups (7-day point-in-time)5 min< 2 h
Restore testNext scheduled – Nov 2026

AI Safety

Prompt-injection and jailbreak mitigations are applied and reviewed quarterly. Training and evaluation datasets are governed to avoid sensitive data leakage.

Compliance Controls (ISO 27001 Annex A summary)

Control familyKey measures in place
A.5 PoliciesISMS & Secure-SDLC policies approved Q2 2025
A.6 OrganisationRole-based access; privileged access JIT; segregation of duties
A.8 Asset mgmtCMDB in Azure; data classification (Public / Internal / Restricted)
A.9 Access controlOAuth, least-privilege, quarterly access review
A.12 OperationsIaC, automated CI/CD, vulnerability scanning
A.13 CommunicationsTLS, WAF, DDoS protection
A.17 Business continuityDR plan, cross-region backups, incident run-books

ISO 27001 certification audit planned Q4 2026; SOC 2 Type II scheduled H1 2027.

Shared-Responsibility Model

ResponsibilityTeneksCustomer
Hosting & patching
Encryption at rest & in transit
Data retention periodConfigurable default; enforced deletion toolsChoose & set policy
User & role management✅ (Admins assign roles)
SSO / MFA config✅ (if OIDC configured)
Recording consent banner✅ (display to participants)
Incident reporting24 h acknowledgeReport incidents affecting credentials

Incident Response

  • Monitoring – Continuous via Azure Monitor.
  • Detection → Ticket – Alert creates internal ticket with on-call engineer.
  • Response targets
    Acknowledgement: within 24 h of report
    Initial mitigation: within 72 h
    Full resolution / RCA: within 5 business days
  • Communication – Email updates from security@teneks.ai.

Contact & Versioning

Security team: security@teneks.ai

© 2025–2026 TENEKSAI OÜ – All rights reserved.