Skip to main content

Frequently Asked Questions

Find quick answers to the most common questions about data protection, security, and compliance at Sally AI. If your question isn't listed here, reach out to us at:

📧 privacy@sally.io

GDPR & Compliance​

Is Sally AI GDPR-compliant?​

Yes. Sally AI fully complies with the EU General Data Protection Regulation (GDPR). We operate under a GDPR-compliant Data Processing Agreement (DPA) with all customers, implement comprehensive technical and organizational measures (TOMs), and conduct regular audits.

Is Sally AI ISO 14001 and ISO 9001 certified?​

We are actively working toward ISO 14001 (environmental management) and ISO 9001 (quality management) certification, both expected as of June 2026. Our processes are systematically monitored and continuously improved.

Is Sally AI a data controller or a data processor?​

Sally AI acts as a data processor (GDPR Art. 4(8)). The customer is the data controller (GDPR Art. 4(7)) and defines the purposes and means of processing.

Does Sally AI use customer data for AI model training?​

No. Customer data is never used for model training or any of our own purposes. We process data solely to deliver the agreed service.

Is there a Data Processing Agreement (DPA) available?​

Yes. A GDPR-compliant DPA under Article 28 GDPR is signed with all customers. You can download it at sally.io/dpa.

Hosting & Data Location​

Where is my data stored?​

All data is stored in German data centers at Hetzner. Until end of May 2026, some components may still be hosted in other EU locations like Ireland or the Netherlands. From end of May 2026, all storage will be exclusively in Germany.

Does Sally AI transfer data outside the EU?​

No. Personal data is never processed or stored outside the European Union. There are no exceptions.

Does Sally AI host everything in Germany?​

From end of May 2026, all services and data will be hosted exclusively in German data centers at Hetzner. Until then, some components may still rely on infrastructure in other EU countries (e.g., Ireland, Netherlands). Your data will never be stored outside the EU.

Can I choose where my data is stored?​

The default storage location is within the EU, primarily Germany at Hetzner. From end of May 2026, exclusively in Germany. Contact us for details on additional options.

Can Sally AI store data in my own infrastructure?​

Yes. Sally AI supports on-premises data storage in the customer's own MS SQL database. This gives you full control over where your data resides, and it never leaves your infrastructure.

Can I use my own LLM instead of Azure OpenAI?​

Yes. If your organization operates its own language models, Sally AI can be configured to use customer-provided LLMs exclusively. This ensures that no data is sent to any external AI service for processing.

Security​

What security measures does Sally AI implement?​

Our technical and organizational measures (TOMs) include:

  • AES-256 encryption at rest and TLS/SSL in transit
  • Role-based access control and multi-factor authentication
  • Comprehensive audit logging of all access and changes
  • Continuous monitoring and automated alerting
  • DDoS protection and rate limiting
  • Hosting in ISO 27001-certified data centers

Does Sally AI perform regular security audits?​

Yes. Our technical and organizational measures are reviewed and documented at least quarterly. We also align our practices with ISO 27001, ISO 14001, and ISO 9001 standards.

Data Retention & Deletion​

How long does Sally AI retain data?​

  • During the contract term: Only as long as necessary for agreed purposes
  • Temporary processing data (e.g., audio pipeline artifacts) is automatically deleted after processing
  • After contract termination: Deletion or return within 30 days, confirmed in writing

Can I request deletion of my data?​

Yes. As the data controller, you can instruct us to delete data at any time. We execute deletion requests without undue delay, within 5 business days.

User Rights​

How does Sally AI support data subject requests?​

We support you in fulfilling access, rectification, erasure, restriction, data portability, and objection requests. We execute technical requests on your documented instructions within 5 business days.

How can I inform meeting participants about Sally AI?​

  • Announce Sally AI's presence at the start of each meeting
  • Sally automatically posts a privacy notice with a link to a data protection information sheet in the meeting chat
  • We recommend embedding this process in your meeting guidelines

Subprocessors & Contracts​

Which subprocessors does Sally AI use?​

Our main subprocessors include Microsoft Azure, AWS, DeepL, Stripe, Strato, and Azure OpenAI, all with EU-based infrastructure. The full list is in Annex 3 of the DPA.

Can I request a copy of the subprocessor list?​

Yes. The subprocessor list is included in the DPA and can be provided upon request at any time.

Incidents​

How will I be notified in case of a data breach?​

We notify customers within 24 hours of becoming aware of a personal data breach, including details about the nature, scope, affected data, and measures taken.

Who is the contact for data protection?​

Data Protection Officer: Norton Engele 📧 privacy@sally.io

What documentation is available?​

  • Data Processing Agreement (DPA / AVV)
  • Technical and Organizational Measures (TOMs)
  • List of Subprocessors
  • Data Protection Impact Assessment (DPIA)
  • AI Compliance Statement (EU AI Act)

All documents are available in our Download Center.