Security & compliance
This page states what we do today — no hedge language. If something is on the roadmap rather than live, we say so explicitly. Security questionnaires, pen-test summaries, and DPA drafts are available to enterprise prospects on request.
TLS 1.2+
Encryption in transit
AES-256
Encryption at rest
Per-tenant
Workspace isolation
Append-only
Audit log
Workspace isolation
Every customer's data, prompts, and retrieval corpora are segmented by workspace. No tenant can read or influence another's data, agent context, or output.
Encryption in transit and at rest
All data in transit uses TLS 1.2+. Integration secrets and credentials are stored encrypted and never appear in application logs or event timelines.
Role-based access control (RBAC)
Operator, staff, and end-user roles carry distinct capability scopes. Administrative actions are tied to authenticated identities your organization controls — not shared credentials.
Append-only audit trail
Every message, tool call, run event, and agent configuration change is logged in an append-only event timeline. Scale and Enterprise plans include structured export for your own SIEM.
Data residency
Deployments can align to AWS, Google Cloud, or Azure with region selection documented in Scale and Enterprise contracts. Ask for your region preference during onboarding.
SOC 2 Type II
We are targeting SOC 2 Type II readiness. Ask us for our current status and expected attestation timeline during your evaluation — we will share it plainly.
What we guarantee today
- Your data is never used to train any model
- Human approval gate before any customer-facing output
- Encryption in transit (TLS 1.2+) on every request
- Credentials stored encrypted, never logged
- Workspace isolation — your data cannot cross tenants
- Append-only event log on every plan
- Access reviews on a quarterly schedule
- Incident response SLA: 24 hours for critical findings
Healthcare & PHI
Healthcare deployments require an architecture review and a BAA where PHI is in scope. We have delivered for clinic networks and health-tech platforms — ask us for the current readiness statement and process.
Request compliance packSecurity contact
For responsible disclosure, pen-test coordination, or vendor security questionnaires:
security@sundaypyjamas.comNothing on this page amends your agreement. For authoritative terms, see Terms and Privacy.