Skip to content
temja

security

The questionnaire, already answered.

A training tool that logs who was trained is a system of record. We built Temja to survive your security review, your data-protection officer, and your works council. Here is what they will ask — answered in advance.

posture

How Temja is built

Residency and encryption

Temja runs in the EU. Authentication, learner records, drill logs, and the audit chain are hosted on Google Cloud in europe-west, encrypted in transit with TLS and at rest. Data does not leave the EU in the ordinary course of running the service.

Credentials and API keys live in a managed secret store — never in the source repository and never in the browser bundle. The client ships only the public configuration a web app is expected to carry.

Tenant isolation and audit

Tenant isolation is enforced at the data layer. Every document carries an organization scope; every read and write is checked against it, and the default is deny. A signed-in session never holds a key capable of writing outside that person's own organization, and it is scoped to a single organization and role — a learner credential cannot reach admin surfaces, by rule.

The audit log is append-only — no update path, no delete path. Each material event is hash-chained: hash = sha256(prevHash + entry), from a fixed genesis to the current head. Any tampering breaks the chain; the evidence pack verifies it end to end.

Access and authentication

Sign-in is email and password, with every session organization- and role-scoped. Administrators can require MFA on their organization. Sensitive actions run through a signed command layer with bot protection (Google reCAPTCHA Enterprise) in front of them, so an automated client cannot drive them.

Single sign-on and SCIM provisioning are available on Enterprise, so joiners and leavers flow from your identity provider rather than a spreadsheet.

Retention and erasure

Training records, drill history, and the audit trail are retained for five years after an employee leaves by default — configurable per contract where a sector asks for longer or shorter.

A GDPR erasure request scrubs identifying details from the profile. The audit chain itself is never edited or deleted: existing entries keep standing and resolve to a de-identified actor reference. An evidence carve-out, not a loophole.

Under the AI Act

Temja is an educational tool, not a high-risk AI system. Drills are scripted simulations running on deterministic logic — not an autonomous system deciding employment, credit, or access. Adopting Temja does not add a new system to your AI inventory; it closes the training-duty gap Article 4 already opened.

We run Temja against our own staff and export our own Article 4 evidence pack. If we would not stake our own audit on it, we would not ask you to.

Works councils

Drill reporting has an aggregate-only mode: catch rates and completion by team, never a named leaderboard of who was fooled. It is designed for Swedish and German works-council expectations, so training does not become surveillance. Individual records still exist for the learner and for audit; the management view can be locked to aggregates by policy.

Boundaries

  • 01Not legal advice. We teach the reflex; your counsel owns the obligation.
  • 02Not a certification body. We produce evidence of competence, not an accredited certificate.
  • 03The simulator never touches real systems. Every tool call in a drill is staged; nothing inside it can reach production.

Responsible disclosure

Report it to security@temja.eu. We operate a 90-day coordinated disclosure window and will keep you credited and informed throughout.

Contact: mailto:security@temja.eu

Expires: reviewed annually

Preferred-Languages: en, sv

Policy: 90-day coordinated disclosure

subprocessors

Who processes your data

The providers below process data on Temja's behalf, each with a defined role and an EU-first footprint where the provider offers one. A current data-processing agreement is in place with each.

SubprocessorRoleRegion
Firebase / Google CloudAuthentication, database, hosting, bot protectioneurope-west (EU)
Lemon SqueezyBilling and invoicing (merchant of record)EU VAT handled at source
ResendTransactional emailEU routing
PostHogProduct analytics (aggregated)EU Cloud
SentryError monitoringEU (Frankfurt) data region

See the audit trail before you buy it.

Run the 3-minute drill to feel the failure the evidence pack documents — then start with your team to watch the real, hash-chained audit chain build itself, event by event.