Our Security & Compliance
GDPR Compliance
A GDPR-compliant DPA under Article 28 is available for every customer and strongly recommended before processing personal data.
Our technical and organisational measures are fully documented and reviewed at least once per quarter.
A comprehensive DPIA has been conducted and is kept up to date in line with Article 35 GDPR.
Ongoing internal security reviews ensure our controls remain effective and up to date.
We document and communicate the nature, purpose, and scope of all processing activities clearly.
EU AI Act
Under the EU AI Act, Sally AI is classified as a Limited Risk system. This means AI systems that interact with people must clearly disclose that they are AI. Sally AI meets all applicable transparency requirements.
Sally AI does not fall into any prohibited or high-risk use case categories — there is no biometric identification, no social scoring, and no use in employment or credit decision-making.
Technical Measures (TOMs)
- ✓TLS/SSL for all data in transit
- ✓AES-256 for all data at rest
- ✓MFA on all internal systems
- ✓Role-based access control (RBAC) — least privilege
- ✓Tenant-level data separation
- ✓Audit logging of all access and changes
- ✓Continuous monitoring + automated anomaly alerts
- ✓DDoS protection + rate limiting
- ✓Microsoft Sentinel / Azure Security Center
- ✓Geo-redundant backups
- ✓Personal data masked BEFORE any LLM processing
- ✓Names & emails replaced with anonymised placeholders
- ✓Original data restored in our own secure infrastructure
- ✓Azure OpenAI deployed in EU region — no data leaves EU
- ✓Microsoft: submitted data NOT used to train OpenAI models
- ✓Confidentiality commitments for all staff
- ✓Recurring privacy & security training
- ✓Need-to-know + dual-control principles
- ✓Regular security awareness programmes
SOC 2 & ISO 27001
Actively working toward SOC 2 Type II certification. Controls are reviewed and documented quarterly. The report will be available on request once certification is complete.
Hosted in ISO 27001-certified EU data centers (Microsoft Azure). Security management is aligned with ISO 27001 principles including regular reviews, risk analysis, and control assessments.
Roles & Responsibilities
- ✓Processes data only on documented customer instructions
- ✓No use of data for own purposes
- ✓No AI training on customer data — ever
- ✓Supports data subject requests within 5 business days
- ✓Defines the purposes and means of processing
- ✓Selects the lawful basis for processing
- ✓Informs end users about data processing
- ✓Responds to data subject rights requests
Incident Response
Automated detection via Microsoft Sentinel and Azure Security Center continuously monitors for anomalies and security events.
Immediate response actions are taken to limit impact and stabilise affected systems.
Root-cause analysis is conducted, the issue is fixed, and affected services and data are recovered.
Customers are notified without undue delay — no later than 24 hours after we become aware of the incident, as required by the DPA.
A full incident report is produced including a complete impact assessment and lessons-learned documentation.
Notifying supervisory authorities (GDPR Art. 33 — 72-hour deadline) is the responsibility of the data controller (customer). We support assessment and documentation throughout the process.
Penetration Testing
- ✓Annual external penetration tests conducted by independent security firms
- ✓Scope covers: application layer, infrastructure, and access controls
- ✓Full reports available to customers on request
- 📧Contact: privacy@sally.io
Full technical details are in Annex 1 (TOMs) of the DPA — download here.