Trust & security
Built for teams that can't afford mistakes.
Every line of money-touching code is reviewed, audited, and logged. Below is how we keep your data — and your auditors — at ease.
security@saya-io.comPen test report available under NDA
Infrastructure
The foundation
AES-256 at rest
Per-tenant keys, rotated quarterly
TLS 1.3 in transit
Modern ciphers only · HSTS preload
SOC 2 Type II
In progress with Vanta
EU / US data residency
Pick the region per workspace
99.9% uptime SLA
Multi-AZ, automatic failover
Compliance
Frameworks we align to
GDPR
EU data residency, DSARs, right-to-erasure
CCPA
California consumer privacy rights
HIPAA-ready
BAA available on Enterprise
PCI DSS
Stripe handles all cardholder data
Security features
Controls that ship by default
- RBAC with custom roles
- SSO / SAML (Okta · Azure AD · Google)
- SCIM provisioning
- MFA + backup codes
- JWT blacklisting on logout
- Row-level security at the database
- Tamper-evident audit log (7 years on Enterprise)
- Per-field encryption for banking data
Sub-processors
Who touches your data
The vendors below process data on our behalf. We notify you 30 days before adding any new sub-processor.
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Neon | Database hosting | All tenant data | US + EU |
| Render | API hosting | Request data | US |
| Vercel | Frontend hosting | Web traffic (no PII) | Global edge |
| Anthropic | LLM inference (invoices) | Invoice content + prompts | US |
| OpenAI | Embeddings (knowledge search) | Document chunks | US |
| Upstash | Queue / cache | Session tokens, task queue | US + EU |
| Supabase | Auth | Credentials | US + EU |
| Stripe | Payments | Billing data | US |
| Cloudflare | Email routing (invoice inbound) | Email metadata + body | Global edge |
Whitepaper
Request the security whitepaper
A 22-page PDF covering threat model, key management, incident response, and our SOC 2 status. Delivered by email.
Have a specific compliance question? Email security@saya-io.com — we usually reply within a business day.