Trust & security
Built for teams that can't afford mistakes.
Every line of money-touching code is reviewed, audited, and logged. Below is how we keep your data — and your auditors — at ease.
security@saya-io.comPen test report available under NDA
Infrastructure
The foundation
AES-256 at rest
Per-tenant keys, rotated quarterly
TLS 1.3 in transit
Modern ciphers only · HSTS preload
SOC 2 Type II
In progress with Vanta
EU / US data residency
Pick the region per workspace
99.9% uptime SLA
Multi-AZ, automatic failover
Compliance
Frameworks we align to
GDPR
EU data residency, DSARs, right-to-erasure
CCPA
California consumer privacy rights
HIPAA-ready
BAA available on Enterprise
PCI DSS
Stripe handles all cardholder data
Security features
Controls that ship by default
- RBAC with custom roles
- SSO / SAML (Okta · Azure AD · Google)
- SCIM provisioning
- MFA + backup codes
- JWT blacklisting on logout
- Row-level security at the database
- Tamper-evident audit log (7 years on Enterprise)
- Per-field encryption for banking data
Sub-processors
Who touches your data
The vendors below process data on our behalf. We notify you 30 days before adding any new sub-processor.
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Anthropic | LLM inference | Prompts + context | US |
| Supabase | Auth | Credentials | US + EU |
| Stripe | Payments | Billing data | US |
| AWS | Infrastructure | All data | US + EU |
| Redis | Session cache | Session tokens | US |
| OpenAI | Embeddings | Document chunks | US |
Whitepaper
Request the security whitepaper
A 22-page PDF covering threat model, key management, incident response, and our SOC 2 status. Delivered by email.
Have a specific compliance question? Email security@saya-io.com — we usually reply within a business day.