Security & data handling

Each workspace integration uses the read scopes published by the provider — typically user.list, billing.read, and workspace.read. We do not request message, file, or content scopes.

For each member we read: email, role, last activity timestamp, billing seat status, and the integrations they belong to. That's the entire input to the audit.

• Message content, files, documents, code, or chat history
• Personal device data or IP-level activity logs
• HR records, salary data, or performance reviews
• Customer or end-user data from your products

Access tokens are encrypted at rest before they're written to the database. They are never returned to the browser, never logged in plain text, and never sent to third parties. Token columns have direct client read access revoked at the database layer — only server-side reclaim jobs can decrypt them.

You can revoke any connection from your provider's admin console at any time. The revocation is honored on the next scan cycle (within 5 minutes).

SeatMap.AI runs on a managed Postgres database with row-level security enabled on every customer-facing table. Each organization can only read its own rows. Backups are encrypted and rotated.

Outbound calls go only to the providers you've connected (Slack, Notion, GitHub, M365, Google Workspace, etc.). No data is sold or shared.

You control which workspaces are connected and which roles can approve reclaims. We control the secure handling, encryption, and access boundaries of the data we read. Your provider controls the underlying account, billing, and permission model.

Reclaim actions (removing a seat, downgrading a role) are always gated behind an explicit approval in your workspace. We never deprovision without a human-in-the-loop confirmation.

Found something? Email security@seatmapai.online. We respond within one business day and credit researchers who disclose responsibly.

SOC 2 Type I report is in progress. We're happy to share the audit plan, policies, and current control evidence under NDA — reach out via the contact form.

We don't claim certifications we don't hold. If you need a specific attestation before connecting, tell us and we'll be honest about timeline.