Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.teeem-ai.com/llms.txt

Use this file to discover all available pages before exploring further.

Teeem AI is designed for Korea’s regulatory environment (PIPA, AI Basic Act) and global best practices. Security is a default, not an option.

Data isolation

Other customers cannot reach your data — there is no code path for it.
StoreIsolation boundary
PostgreSQL (RDS)Per-customer dedicated instance — physically separate database
Sessions (DynamoDB)Per-customer tables, per-customer KMS keys
Files (EFS)Per-customer file system
SecretsSSM Parameter Store SecureString with per-customer prefix
Slack tokensAWS Secrets Manager, isolated
Every store is encrypted with KMS. Even infra operators cannot read plaintext data.

PII masking (10 Korean PII types)

Masking happens before the message reaches the LLM and is reversed just before the response goes back to the user.
PII typeExample
Resident registration number860101-1234567[RRN-1]
Phone010-1234-5678[PHONE-1]
Credit card4567-1234-5678-9012[CARD-1]
Korean name김철수[NAME-1]
Business registration number123-45-67890[BRN-1]
PassportM12345678[PASSPORT-1]
Driver’s licence12-34-567890-12[LICENSE-1]
Bank account123-456-789012[ACCOUNT-1]
Address서울 강남구 ...[ADDR-1]
Health insurance1-1234567890[HEALTH-1]
Masking applies to LLM traffic, logs, audit, and outbound tool calls. The same PII consistently maps to the same token so responses unmask precisely.

Prompt-injection defence

Inbound messages — and any external content (email bodies, web pages, document contents) — are checked by an injection detector that recognises both Korean and English patterns. Additional defence layers:
  • Output leak detection — monitors for PII or secrets escaping in responses
  • Input length guard — protects against ReDoS
  • Shell isolation — code-execution tools run only in sandboxed environments

Access control

6-tier RBAC

platform_admin → enterprise_admin → team_admin → power_user → user → viewer
Each role declares which tools it may run and which data it may see.

ABAC (data classification)

Data carries a classification label. 
public → internal → confidential → secret
Policy can require that confidential data be handled by team_admin or above, secret by enterprise_admin only — and so on.

IP allowlist

Restrict access to specific CIDRs. Useful when the agent should only be reachable from inside the company network.

Tool approval gates

Specific tools (external sends, payments, bulk data downloads) can require human approval before execution.

SSO

Integrate with the IdP your company already uses.
  • SAML 2.0 — Okta, OneLogin, Azure AD, etc.
  • OIDC — Google Workspace, Auth0, etc.
With SSO, users and groups sync via SCIM and offboarding revokes access automatically.

Audit log

Every activity is recorded — sign-ins, messages, tool executions, settings changes, KB uploads, OAuth links, and more.
  • Tamper-evident — entries are linked by SHA256 hashes; modifying any entry breaks the chain
  • Integrity verification API — anyone can verify integrity at a chosen point in time
  • 5-year retention — default, matched to Korean regulatory requirements
  • Compliance package export — audit log + PII statistics + RBAC matrix exported as a single ZIP

AI Basic Act watermarking

Per Korea’s AI Basic Act Article 27, AI-generated content carries a watermark.
OutputWatermark format
TextVisible label (e.g. “AI-generated content”) + metadata
Documents (PDF, PPTX, DOCX)Footer or generation metadata
HTTP responsesHeader marker
Watermarking is toggleable but should be on in Korean operations.

PIPA (Korean privacy law)

  • Minimisation — only the PII required for the task is processed
  • Purpose limitation — no reuse for other purposes
  • Encrypted storage — KMS, AES-256-GCM
  • Access control — RBAC + ABAC + audit logging
  • Deletion requests — API for personal-data deletion

Container & infrastructure security

ItemSetting
Container usernon-root (UID 1001)
Filesystemread-only
Privilege escalationno-new-privileges
Resource limits2 GB RAM / 2 CPU (DoS prevention)
Image scanningECR vulnerability scanning
NetworkRDS in private subnets, security groups least-privilege
WAFOWASP rule set + custom rules
TLSALB termination, HSTS 2 years, CSP applied
Boot-time check18-item security audit (boot fails on FAIL)

Compliance report

Hit GET /admin/compliance-report to export an evidence package containing:
  • Audit log (with hash-chain integrity proof)
  • PII masking statistics (by type and time window)
  • RBAC matrix (current per-role permissions)
  • External API call log
  • AI Basic Act watermarking history
The format is suitable for direct submission to regulators or for ISMS-P recertification.