Our Security & Compliance
This page is your single source of truth for security and compliance at Sally AI. It documents our technical and organisational measures (TOMs), GDPR conformity, and our role split as a Data Processor. Detailed topics such as the EU AI Act, ISO certifications, and our incident-response process have their own subpages, linked at the bottom. The full underlying documents (TOMs, RoPA, DPIA, AI Act statement) are available in the Download Center.
GDPR Compliance
A GDPR-compliant DPA under Article 28 is available for every customer and strongly recommended before processing personal data.
Our technical and organisational measures are fully documented and reviewed at least once per quarter.
A comprehensive DPIA has been conducted and is kept up to date in line with Article 35 GDPR.
Ongoing internal security reviews ensure our controls remain effective and up to date.
We document and communicate the nature, purpose, and scope of all processing activities clearly.
Technical Measures (TOMs)
- ✓TLS/SSL for all data in transit
- ✓AES-256 for all data at rest
- ✓MFA on all internal systems
- ✓Role-based access control (RBAC), least privilege
- ✓Tenant-level data separation
- ✓Audit logging of all access and changes
- ✓Continuous monitoring + automated anomaly alerts
- ✓DDoS protection + rate limiting
- ✓Microsoft Sentinel / Azure Security Center
- ✓Geo-redundant backups
- ✓Personal data masked BEFORE any LLM processing
- ✓Names & emails replaced with anonymised placeholders
- ✓Original data restored in our own secure infrastructure
- ✓Azure OpenAI deployed in EU region, so no data leaves EU
- ✓Microsoft: submitted data NOT used to train OpenAI models
- ✓Confidentiality commitments for all staff
- ✓Recurring privacy & security training
- ✓Need-to-know + dual-control principles
- ✓Regular security awareness programmes
Roles & Responsibilities
- ✓Processes data only on documented customer instructions
- ✓No use of data for own purposes
- ✓No AI training on customer data, ever
- ✓Supports data subject requests within 5 business days
- ✓Defines the purposes and means of processing
- ✓Selects the lawful basis for processing
- ✓Informs end users about data processing
- ✓Responds to data subject rights requests
More on Security & Compliance
Our Limited Risk classification, transparency obligations, and how meeting participants are informed.
Read more →Certified to ISO 27001, 14001, and 9001, run as one integrated management system. Verify the certificate online.
Read more →Our 5-step incident-response process, 24-hour customer notification, and annual external pentests.
Read more →Full technical details are in Annex 1 (TOMs) of the DPA. Download here.