Skip to main content
Trust & security

Security & compliance

This page states what we do today — no hedge language. If something is on the roadmap rather than live, we say so explicitly. Security questionnaires, pen-test summaries, and DPA drafts are available to enterprise prospects on request.

TLS 1.2+

Encryption in transit

AES-256

Encryption at rest

Per-tenant

Workspace isolation

Append-only

Audit log

Workspace isolation

Every customer's data, prompts, and retrieval corpora are segmented by workspace. No tenant can read or influence another's data, agent context, or output.

Encryption in transit and at rest

All data in transit uses TLS 1.2+. Integration secrets and credentials are stored encrypted and never appear in application logs or event timelines.

Role-based access control (RBAC)

Operator, staff, and end-user roles carry distinct capability scopes. Administrative actions are tied to authenticated identities your organization controls — not shared credentials.

Append-only audit trail

Every message, tool call, run event, and agent configuration change is logged in an append-only event timeline. Scale and Enterprise plans include structured export for your own SIEM.

Data residency

Deployments can align to AWS, Google Cloud, or Azure with region selection documented in Scale and Enterprise contracts. Ask for your region preference during onboarding.

SOC 2 Type II

We are targeting SOC 2 Type II readiness. Ask us for our current status and expected attestation timeline during your evaluation — we will share it plainly.

What we guarantee today

  • Your data is never used to train any model
  • Human approval gate before any customer-facing output
  • Encryption in transit (TLS 1.2+) on every request
  • Credentials stored encrypted, never logged
  • Workspace isolation — your data cannot cross tenants
  • Append-only event log on every plan
  • Access reviews on a quarterly schedule
  • Incident response SLA: 24 hours for critical findings

Healthcare & PHI

Healthcare deployments require an architecture review and a BAA where PHI is in scope. We have delivered for clinic networks and health-tech platforms — ask us for the current readiness statement and process.

Request compliance pack

Security contact

For responsible disclosure, pen-test coordination, or vendor security questionnaires:

security@sundaypyjamas.com

Nothing on this page amends your agreement. For authoritative terms, see Terms and Privacy.