Your Data Deserves the Highest Standard of Protection
At Sally AI, data protection is not a checkbox — it is a core principle that shapes every decision we make. We believe that trust is built through transparency, security, and accountability.
This documentation gives you full visibility into how we handle your data, what measures we take to protect it, and how we support you in meeting your own compliance obligations.
Our Commitments at a Glance
| Commitment | What it means for you | |
|---|---|---|
| GDPR | Fully compliant with the EU General Data Protection Regulation | Your data is processed lawfully, transparently, and only for agreed purposes |
| SOC 2 | Committed to SOC 2 compliance | We continuously align our security controls with SOC 2 standards for trust, availability, and confidentiality |
| EU-only | All data stays within the European Union | No transfers to third countries — ever |
| Germany first | We actively work to host everything in Germany | Where not yet possible, we use other EU locations — but never outside the EU |
| No AI training | Your data is never used for model training | We process data solely for the agreed service — nothing more |
| Data masking | Personal data is masked before AI processing | No identifiable information ever reaches the language model |
| Encryption | AES-256 at rest, TLS/SSL in transit | Your data is protected at every stage |
What You'll Find Here
Data Protection at Sally
Our principles, GDPR compliance, and our commitment to SOC 2 — learn what drives our approach to data protection.
Data Processing
What data we collect, why we collect it, where it is stored, and how long we keep it — clearly explained.
Security & TOMs
Encryption, access controls, monitoring, SOC 2 alignment, and ISO 27001-certified infrastructure — our technical and organizational safeguards in detail.
Roles & Responsibilities
Who is responsible for what — the relationship between you as data controller and Sally AI as data processor.
Hosting & Infrastructure
Our Germany-first hosting strategy, all subprocessors listed, and why your data never leaves the EU.
Your Rights
How we support you in fulfilling data subject requests — access, correction, deletion, and more.
Data Breaches
What happens in the event of a security incident — detection, response, and notification within 24 hours.
Data Processing Agreement (DPA)
Everything about our DPA under Article 28 GDPR — contents, annexes, and how to get your copy.
FAQs
Quick answers to the most common questions about privacy, hosting, SOC 2, and compliance.
Downloads
All legal and compliance documents in one place — DPA, TOMs, subprocessor list, DPIA, and more.
Contact Our Data Protection Team
Have questions or need assistance? We're here to help.
Data Protection Officers: Fabian Kissel & Norton Engele 📧 privacy@sally.io
Last updated: February 2026