Draft
Draft. This document is under legal review and is not yet in effect.
This page says what Sayli's security posture is today. It also says what we do not have yet, because a security page you cannot trust is worthless.
What we do
Encryption in transit
All traffic runs over TLS, including audio streaming.
Encryption at rest
All stored data is encrypted at rest with Google Cloud's default encryption.
Tenant isolation
Every query that touches user data is scoped to your organization in the data model itself. Vector search carries the same per-organization filter.
Redaction at ingest
Card numbers, government identifiers, phone numbers, email addresses, and IP addresses are masked before transcript text is stored or sent to a language model.
Object access
Recordings and files live in a private bucket. Access is through short-lived signed URLs minted per request, never public links.
Authentication
Sign in with Google or Apple, or a passwordless email link. Sessions use short-lived access tokens with rotating refresh tokens. The desktop app keeps its session in the operating system keychain.
Audit log
State-changing actions are recorded per organization: who did what, to which resource, when.
Telemetry hygiene
Error reports are scrubbed of transcript text, questions, answers, and tokens before they leave our systems. Analytics events carry feature usage, never call content.
Abuse limits
Per-account and per-IP rate limits bound every endpoint, tightest on unauthenticated ones.
What we do not have yet
We would rather tell you now than have you find out in a vendor review.
- No SOC 2 report. A SOC 2 program is planned, not started. We claim no certifications of any kind today.
- No HIPAA business associate agreements exist with us or our vendors. Sayli is not suitable for PHI today. A dedicated compliant inference path is on the enterprise roadmap.
- No SAML single sign-on and no SCIM provisioning. Both are on the enterprise roadmap.
- No self-hosted deployment.
- No public status page yet.
- No bug bounty program yet. Reports are still welcome, see below.
Subprocessors
The third parties that touch customer data, and what each one sees, are listed at Subprocessors.
Reporting a vulnerability
Email security@sayli.ai. Include steps to reproduce. We will acknowledge your report and keep you informed while we fix it. Machine-readable details live at /.well-known/security.txt.