Skip to main content

Data Protection at Sally AI – Built on Trust

Our Philosophy

Data protection is not an afterthought at Sally AI — it is part of our DNA. Every feature we build, every infrastructure decision we make, and every process we design starts with one question: How do we protect our customers' data?

We process data strictly for the agreed contractual purposes and follow the core GDPR principles:

  • Lawfulness — We always have a clear legal basis
  • Purpose limitation — Data is used only for what was agreed
  • Data minimization — We collect only what is necessary
  • Transparency — You always know what happens with your data

GDPR Compliance

Sally AI fully complies with the EU General Data Protection Regulation (GDPR). This is not just a claim — it is backed by concrete measures:

  • A Data Processing Agreement (DPA) under Article 28 GDPR for every customer
  • Documented technical and organizational measures (TOMs) that are regularly reviewed and updated
  • A comprehensive Data Protection Impact Assessment (DPIA) per Article 35 GDPR
  • Regular internal audits and security reviews
  • Transparent communication about the nature, purpose, and scope of all processing

SOC 2 Commitment

We have committed to aligning our security practices with SOC 2 standards. SOC 2 is one of the most recognized frameworks for evaluating a service organization's controls related to security, availability, and confidentiality.

This means we continuously evaluate and strengthen our controls to meet SOC 2 requirements — giving you additional assurance that your data is handled with the highest level of care and accountability.

Germany-First Hosting

We are actively working to host all data and services in Germany. While this is not yet fully achievable for every component — some services are hosted in other EU countries like Ireland or the Netherlands — we are committed to this goal and continuously migrating workloads.

What we can guarantee today:

  • All data stays within the European Union — always
  • No transfers to third countries — under any circumstances
  • Our primary infrastructure runs in Germany, with EU-based alternatives where needed
  • On-premises storage is available: we can store data in your own MS SQL database, keeping it entirely within your infrastructure
  • Bring your own LLM: customers can provide their own language models, so no data leaves their environment for AI processing

Data Masking Before AI Processing

A key part of our privacy-by-design approach: personal data is masked before it is sent to any large language model (LLM). Before any content reaches the AI for analysis or summarization, we replace personally identifiable information — such as names, email addresses, and other sensitive data — with anonymized placeholders.

This means: no personal data enters the LLM. The AI works only with masked content, and the original data is restored afterwards within our own secure infrastructure. This ensures that even the AI processing layer never has access to your users' identities.

We Act as a Data Processor

  • Our customers are the data controllers under the GDPR
  • Sally AI acts solely as a data processor, processing personal data only on documented instructions from the customer
  • We never use customer data for our own purposes — no AI model training, no analytics, no profiling
  • Personal data is masked before AI processing — the LLM never sees identifiable information
  • Legal responsibility for data protection remains with the customer at all times

Data Protection = Security + Transparency

We view data protection as both a legal duty and a core part of our security and quality standards. To ensure protection and accountability, we apply:

  • Encryption at rest (AES-256) and in transit (TLS/SSL)
  • Role-based access controls and multi-factor authentication
  • Transparent communication about the nature, purpose, and scope of processing
  • Continuous monitoring and automated incident detection