Skip to main content

Frequently Asked Questions

Find quick answers to the most common questions about data protection, security, and compliance at Sally AI. If your question isn't listed here, reach out to us at:

📧 privacy@sally.io

GDPR & Compliance​

Is Sally AI GDPR-compliant?​

Yes. Sally AI fully complies with the EU General Data Protection Regulation (GDPR). We operate under a GDPR-compliant Data Processing Agreement (DPA) with all customers, implement comprehensive technical and organizational measures (TOMs), and conduct regular audits.

Is Sally AI SOC 2 compliant?​

We have committed to aligning our security practices with SOC 2 standards. We continuously evaluate and strengthen our controls related to security, availability, and confidentiality to meet SOC 2 requirements.

Is Sally AI a data controller or a data processor?​

Sally AI acts as a data processor (GDPR Art. 4(8)). The customer is the data controller (GDPR Art. 4(7)) and defines the purposes and means of processing.

Does Sally AI use customer data for AI model training?​

No. Customer data is never used for model training or any of our own purposes. We process data solely to deliver the agreed service.

Is there a Data Processing Agreement (DPA) available?​

Yes. A GDPR-compliant DPA under Article 28 GDPR is signed with all customers. You can download it at sally.io/dpa.

Hosting & Data Location​

Where is my data stored?​

All data is stored in data centers within the European Union — primarily in Germany, with some services in other EU locations like Ireland or the Netherlands.

Does Sally AI transfer data outside the EU?​

No. Personal data is never processed or stored outside the European Union. There are no exceptions.

Is Sally AI working to host everything in Germany?​

Yes. We are actively working to move all services and data to German data centers. While some components currently rely on infrastructure in other EU countries (e.g., Ireland, Netherlands), we are committed to migrating workloads to Germany wherever possible. Your data will never be stored outside the EU.

Can I choose where my data is stored?​

The default storage is within the EU, primarily Germany. Specific EU locations may be available depending on hosting options — contact us for details.

Can Sally AI store data in my own infrastructure?​

Yes. Sally AI supports on-premises data storage in the customer's own MS SQL database. This gives you full control over where your data resides — it never leaves your infrastructure.

Can I use my own LLM instead of Azure OpenAI?​

Yes. If your organization operates its own language models, Sally AI can be configured to use customer-provided LLMs exclusively. This ensures that no data is sent to any external AI service for processing.

Security​

What security measures does Sally AI implement?​

Our technical and organizational measures (TOMs) include:

  • AES-256 encryption at rest and TLS/SSL in transit
  • Role-based access control and multi-factor authentication
  • Comprehensive audit logging of all access and changes
  • Continuous monitoring and automated alerting
  • DDoS protection and rate limiting
  • Hosting in ISO 27001-certified data centers

Does Sally AI perform regular security audits?​

Yes. Our technical and organizational measures are reviewed and documented at least quarterly. We also align our practices with SOC 2 standards.

Data Retention & Deletion​

How long does Sally AI retain data?​

  • During the contract term: Only as long as necessary for agreed purposes
  • Temporary processing data (e.g., audio pipeline artifacts) is automatically deleted after processing
  • After contract termination: Deletion or return within 30 days, confirmed in writing

Can I request deletion of my data?​

Yes. As the data controller, you can instruct us to delete data at any time. We execute deletion requests without undue delay, within 5 business days.

User Rights​

How does Sally AI support data subject requests?​

We support you in fulfilling access, rectification, erasure, restriction, data portability, and objection requests. We execute technical requests on your documented instructions within 5 business days.

How can I inform meeting participants about Sally AI?​

  • Announce Sally AI's presence at the start of each meeting
  • Sally automatically posts a privacy notice with a link to a data protection information sheet in the meeting chat
  • We recommend embedding this process in your meeting guidelines

Subprocessors & Contracts​

Which subprocessors does Sally AI use?​

Our main subprocessors include Microsoft Azure, AWS, DeepL, Stripe, Strato, and Azure OpenAI — all with EU-based infrastructure. The full list is in Annex 3 of the DPA.

Can I request a copy of the subprocessor list?​

Yes. The subprocessor list is included in the DPA and can be provided upon request at any time.

Incidents​

How will I be notified in case of a data breach?​

We notify customers within 24 hours of becoming aware of a personal data breach, including details about the nature, scope, affected data, and measures taken.

Who is the contact for data protection?​

Data Protection Officer: Norton Engele 📧 privacy@sally.io

What documentation is available?​

  • Data Processing Agreement (DPA / AVV)
  • Technical and Organizational Measures (TOMs)
  • List of Subprocessors
  • Data Protection Impact Assessment (DPIA)
  • AI Compliance Statement (EU AI Act)

All documents are available in our Download Center.