TRUST & SECURITY
Built to pass your security review.
Every protocol, sub-processor, and incident commitment, in one place. Read it in five minutes, or hand it to your team.
COMPLIANCE
Standards we hold ourselves accountable to.
We publish what we've achieved, what we're auditing, and what's on the roadmap. No claims without evidence.
SOC 2
Audit roadmappedType I target Q1 2027, Type II target Q4 2027. Annual recertification thereafter.
GDPR
AlignedOperates in accordance with EU GDPR principles. DPA available on request.
CCPA
AlignedCalifornia Consumer Privacy Act rights honored for all California users.
ISO 27001
RoadmappedPlanned after SOC 2 Type II completion.
DATA HANDLING
What we keep, for how long.
Every category of data we touch, where it lives, and when it's deleted. Defaults are conservative; workspaces can tighten them.
- Meeting audio
- Processed for transcription, then deleted within 24 hours of the meeting ending. Never used for model training.
- Transcripts & translations
- Stored in your workspace. Retention is workspace-configurable; default is 90 days.
- Summaries & action items
- Stored alongside the source transcript and follow the same retention policy.
- Account & workspace metadata
- Retained while the account is active. Deleted within 30 days of account closure.
- Billing data
- Payments processed by LemonSqueezy as Merchant of Record. Sageio stores subscription metadata only — never payment card details.
- Data residency
- Multi-region deployment available. EU, US, and Asia-Pacific regions supported on Enterprise plans.
- Internal access
- Production access requires explicit business need, is time-bound, and is logged for audit.
ENCRYPTION
Modern protocols, no exceptions.
Encryption is a default, not a tier. The standards below apply to every workspace, on every plan.
TLS 1.3 for every client connection, with HSTS enforced on Sageio domains.
AES-256-GCM at rest across application databases and object storage.
Provider-managed encryption keys via AWS KMS, rotated on schedule.
Meeting audio encrypted on the wire from bot to processing layer.
Encrypted backups, retained 30 days, restored on a tested schedule.
ACCESS CONTROLS
The keys to your workspace, on your terms.
Identity, roles, and audit trails configured the way enterprise IT teams expect. Not bolted on — built in from the first user.
SAML 2.0 single sign-on, available on Enterprise plans.
OIDC sign-in via Google and Microsoft for self-serve workspaces.
Role-based access control with four tiers: Owner, Admin, Member, and Viewer.
Audit log of every admin and data-access action, retained 12 months.
Configurable session timeout and IP allowlist on Enterprise plans.
SUB-PROCESSORS
The vendors we depend on, named publicly.
Sageio relies on a small set of established providers for storage, identity, and AI processing. The full list, with purpose and data location, lives in the DPA.
INCIDENT RESPONSE
When something breaks, you hear from us first.
Customer notification is the first hour of response, not the last. Affected customers get direct notice; the broader community sees our public status page.
Detection runs via continuous monitoring. On-call engineers declare and assign an incident commander within 30 minutes. For any incident involving customer data, affected customers are notified by email within 24 hours of confirmation, with interim updates while investigation continues. A written post-incident review is shared within 7 days, and customer-visible outages are recorded on status.sageio.net.
Got a security questionnaire?
Send it over. We respond within two business days with completed answers, attestations, and the supporting documents your team needs.