FAQ: Security & Privacy
Sally AI follows strict data protection and security standards. All data is encrypted at rest using AES-256 and in transit via TLS/SSL. Access is protected by role-based access controls and multi-factor authentication. All access and changes are recorded in a comprehensive audit log. Sally is fully GDPR-compliant, aligned with SOC 2 standards, and operated in ISO 27001-certified data centers. Organizations can additionally define their own privacy policies.
All meeting data is hosted in European data centers only, preferably in Germany, or alternatively in other EU regions such as Ireland or the Netherlands. Personal data is never processed or stored outside the EU - no exceptions. Sally is also actively working to migrate all services entirely to Germany. For organizations with specific requirements, Sally offers on-premises data storage in the customer's own infrastructure.
No. Your meeting data is never used for AI model training or any other proprietary purposes. Sally acts as a data processor (Art. 4(8) GDPR) and processes data exclusively on the customer's instructions to deliver the agreed-upon service. Before processing by the language model, personal data is pseudonymized through placeholder/data masking. Organizations with particularly strict requirements can configure Sally to use only their own LLMs - ensuring no data is sent to external AI services.
Sally automatically ensures transparency in accordance with Art. 13/14 GDPR: when joining a meeting, Sally posts a privacy notice with a link to the privacy information sheet directly in the meeting chat. This notice informs participants about the type and purpose of data processing, retention periods, and their rights. We also recommend briefly announcing Sally's participation at the start of the meeting and incorporating this into your internal meeting guidelines. Participants can object at any time by typing "opt out" in the chat - Sally will immediately leave the meeting and irrevocably delete all data recorded up to that point.
Additionally, Sally can be configured to notify meeting participants via email ahead of time about Sally's participation. Participants must then actively give their consent before Sally joins the meeting - without consent, Sally will not participate.
Yes. As the data controller, you can instruct Sally to completely delete your data at any time. Sally processes deletion requests within 5 business days. Additionally, Sally supports the fulfillment of all GDPR data subject rights: access, rectification, erasure, restriction, data portability, and objection. Temporary processing data (e.g. from the audio pipeline) is automatically deleted once processing is complete. After contract termination, all data is deleted or returned in a machine-readable format within 30 days - confirmed in writing.
Yes. Sally concludes a GDPR-compliant Data Processing Agreement (DPA) under Art. 28 GDPR with all customers. The DPA covers purpose limitation, deletion obligations, technical and organizational measures (TOMs), and subprocessor management. It includes annexes on TOMs, records of processing activities, subprocessor list, Data Protection Impact Assessment (DPIA), and an AI compliance statement under the EU AI Act. You can request and digitally sign the DPA directly online.
Request a DPA | All privacy documents in the Download Center
Yes. Sally AI is classified as Limited Risk under the EU AI Act and fulfills all applicable transparency obligations. Sally clearly identifies itself as an AI-powered service and provides comprehensive documentation on how data is processed. A detailed AI compliance statement is included with the DPA.