Security & GDPR Compliance
Use Sally with complete peace of mind
Data Protection Is Our Priority
100% GDPR compliant
Our solution fully adheres to the GDPR — ensuring maximum security and legal compliance.
Made in Germany
Developed and operated in Germany, Sally meets the highest standards in quality, reliability, and data protection.
Hosted in Germany
All personal data remains securely stored in Europe. We host exclusively with trusted European data centers.
Independently audited & certified
Sally meets internationally recognized standards for security, data protection, and quality — independently audited and continuously verified.
GDPR-Compliant Data Storage
Your data privacy is our top priority. All personal data collected while using Sally is securely stored on servers within the EU — preferably in Germany at Hetzner. We guarantee that your data will never be processed or shared without your consent — unless legally required. No third-country data transfers.
Certifications & Compliance
Sally is independently and regularly audited against international standards. Our certifications ensure that we don't just meet legal requirements — we operate well above them:
- ISO 27001:2022: Information Security Management — externally audited.
- ISO 14001:2015: Environmental Management.
- ISO 9001:2015: Quality Management.
- SOC 2: Service Organization Controls for security, availability, and confidentiality.
- DORA: Digital Operational Resilience Act compliance for the financial sector.
- EU AI Act: Classified as a low-risk system with automatic transparency notices.
AI Processing & Data Masking
Before any language model processes your data, all personally identifiable information is automatically masked. Identifiable content never reaches the AI — and your data is fundamentally never used to train language models. Never.
- Automatic masking of personal data before every AI request.
- No AI training on customer data — contractually excluded.
- Azure OpenAI in the EU region as the language model provider.
- Option to integrate your own LLM or on-premises hosting for maximum control.
Secure Collaboration with Subprocessors
For some features we collaborate with carefully selected subprocessors. These partners are contractually bound to strict data protection requirements and may only use your data for specified services. We provide a full, transparent subprocessor list and our technical and organizational measures (TOMs) as downloadable documents.
Technical & Organizational Safeguards
To keep your data safe, we follow a multi-layered security approach:
- Encryption: AES-256 at rest, TLS/SSL in transit.
- Access controls: Multi-factor authentication and role-based permissions (RBAC) following the least-privilege principle.
- Tenant isolation: Data is strictly isolated per organization.
- Audit logs: Complete logging of all access events.
- Backups: Geo-redundant backups in ISO 27001-certified EU data centers.
- Penetration tests: Annual tests by external security firms.
- Data Protection Impact Assessment (DPIA) under Article 35 GDPR and regular internal audits.
- Incident notification: Customers are notified of security incidents within 24 hours.
Data Processing Agreement (DPA)
We sign a Data Processing Agreement (DPA / AVV) with every customer in accordance with Article 28 GDPR. This contractually governs the lawful processing of your meeting data — including all technical and organizational measures and a documented subprocessor list.
- Personalized DPA auto-generated and digitally signable online.
- Alternatively: download the DPA (English or German), sign, and email to datenschutz@sally.io — countersignature within 1–3 business days.
- Subprocessor list and TOM documentation always available.
Full Control Over Sally
Sally operates only with your permission. Before recording a meeting, Sally always requests consent from all participants. You can remove Sally at any time using the "opt-out" command — all recorded data will be permanently deleted. If Sally joins by mistake, the opt-out command ensures the session ends and any captured data is erased immediately.
Go deeper
Full data protection documentation in our Help Center
Detailed information on certifications, subprocessors, security controls, the DPA process, and our roadmap is available in our public data protection area.
Get Started - Fast & Easy
Sign up in just a few clicks and try out Sally AI's amazing features.
Need help?
Book a demo call with our experts.
Frequently Asked Questions
Yes, our platform is fully compliant with EU Data Privacy Laws. It is hosted entirely within the EU and adheres to all data protection regulations under these laws. For more details, you can review our privacy policy in our Privacy Policy.
Only authorized users within your organization have access to the meeting data. We use encryption and role-based access controls to ensure that your data is protected.
By default, Sally AI stores your data for 12 months. You can delete the data at any time, which permanently removes it.
Yes, this is why Sally automatically informs participants at the start of the meeting that she is present by sending a message in the chat. This serves the purpose of transparency and compliance with data protection guidelines, in particular the GDPR.
By default, all data is stored in secure data centers in Germany that meet the highest security standards. If technically necessary, data is stored in other data centers within the European Union to ensure GDPR compliance.
We use state-of-the-art security mechanisms such as end-to-end encryption, two-factor authentication and continuous security checks to prevent unauthorized access.
Sally only joins meetings with your explicit permission. Before each meeting, you can decide whether Sally should participate. Even during a meeting, you can remove Sally at any time with just a click.
Our data protection team continuously monitors changes in legislation and adapts our processes to ensure that Sally AI always remains compliant.