Overview
Privacy isn't a checkbox. It's a commitment. Sally AI is built on the principle that your data belongs to you: it stays within the EU, primarily in Germany at Hetzner, is masked before any AI model ever touches it, and is never used to train or improve language models. We hold ourselves to the highest European data protection standards so you can focus on getting value from AI, without compromise.
Compliance & Certifications
Fully compliant with the EU General Data Protection Regulation. GDPR-compliant DPA under Art. 28 with every customer.
All data is stored in the EU, primarily in Germany at Hetzner. No third-country transfers, ever. From end of July 2026, exclusively in German data centers at Hetzner.
All personal data is masked before being processed by any language model. Identifiable information never reaches the AI.
Certified to ISO 27001:2022 for information security management, part of our independently audited integrated management system. Full details on our ISO Certifications page.
Certified to ISO 14001:2015 for environmental management. Full details and the downloadable certificate on our ISO Certifications page.
Certified to ISO 9001:2015 for quality management. Full details and the downloadable certificate on our ISO Certifications page.
Service organization controls aligned with SOC 2 principles for security, availability, and confidentiality.
Your data is never used to train or improve language models, guaranteed contractually and technically.
Sally AI meets the requirements of the Digital Operational Resilience Act (DORA) for financial-sector resilience.
Self-declaration on accessibility aligned with EN 301 549 and WCAG 2.1 AA, including the mandatory disclosures required by BITV and BFSG. Provides public-sector buyers and customers with elevated accessibility requirements a solid basis.
Network-level separation of administration traffic and compute workload networks, including a dedicated jump/bastion host (per BSI C5:2026, controls COS-02.01B, COS-05.01B, COS-05.02B).
Launch of Sally's own large language model in production, replacing Azure OpenAI. Every step of inference happens inside our own infrastructure — no more dependency on external AI providers.
All data exclusively in German data centers, with zero dependency on non-German EU regions.
Information security is at the heart of Sally AI. Our certified ISMS to ISO 27001:2022, independently audited, backs our security promises with structured risk management and controls that protect your data end-to-end, not just on paper.
Security Controls
- ✓AES-256 encryption at rest
- ✓TLS/SSL encryption in transit
- ✓ISO 27001-certified EU data centers
- ✓DDoS protection & rate limiting
- ✓Geo-redundant backups
- ✓Multi-factor authentication (MFA) on all systems
- ✓Role-based access control (RBAC)
- ✓Principle of least privilege
- ✓Full audit logging of all access
- ✓Tenant-level data separation
- ✓Personal data masked before any LLM processing
- ✓No AI training on customer data, ever
- ✓EU-region Azure OpenAI deployment
- ✓Bring Your Own LLM option available
- ✓On-premises storage option available
- ✓DPA with every customer & all subprocessors
- ✓Regular employee security training
- ✓Incident notification to customer < 24 hours
- ✓Annual penetration tests by external security firms
- ✓DPIA per Article 35 GDPR
- ✓Regular internal security reviews
Completing the DPA: Two Options
Documents & Resources
GDPR-compliant DPA under Art. 28, signed with every customer. Available in English and German.
Download DPA →Our full technical and organizational security measures. Annex 1 of the DPA.
Download TOMs →All subprocessors with processing purpose and EU hosting location. Annex 3 of the DPA.
Download List →