Security

Security is foundational to everything we build at Saut. We handle sensitive sentiment data for enterprises, governments, and financial institutions. Every system, process, and decision is designed with data protection at its core.

• Hosted on Vercel (compute) and Supabase (database) with enterprise-grade infrastructure
• All data encrypted in transit using TLS 1.3 and at rest using AES-256
• Automatic daily database backups with point-in-time recovery
• Edge network with DDoS protection and Web Application Firewall (WAF)
• Automatic failover and multi-region redundancy
• Infrastructure-as-code with reproducible, auditable deployments

• Powered by Clerk with enterprise Single Sign-On (SSO) support
• Multi-factor authentication (MFA) available for all accounts
• OAuth 2.0 integration with Google, GitHub, and Microsoft identity providers
• Automatic session expiration and rotation
• Organization-level role-based access controls (RBAC) for enterprise plans
• Principle of least privilege applied to all internal systems access

• Scoped API keys with granular, per-resource permissions
• Rate limiting and throttling to prevent abuse
• Request signing and validation for webhook deliveries
• Comprehensive audit logs for all API access
• Separate production and staging environments with isolated credentials

• Saut only processes publicly available social media data
• No private messages, DMs, or non-public content is ever accessed or stored
• Enterprise workspace data is isolated with row-level security (RLS) at the database layer
• Data retention policies configurable per enterprise plan
• Full data export and account deletion available on request
• Individual voting data is never exposed to other users or workspace administrators

Saut processes and stores data using the following infrastructure providers:

• Application Hosting: Vercel — primary compute in the United States (US-East) with global edge distribution
• Database: Supabase — United States (US-East). All customer data, including poll data, votes, and workspace configurations, is stored in Supabase-managed PostgreSQL databases
• Authentication: Clerk — United States. Identity and session data processed by Clerk's infrastructure
• AI Processing: OpenAI — United States. Public social data is sent to OpenAI for sentiment classification and insight generation; no user account data is shared with OpenAI

Enterprise customers requiring data residency in specific regions should contact us to discuss available options. For details on international data transfers and safeguards, see our Privacy Policy.

• Background checks conducted on all employees and contractors with access to production systems or customer data
• Security awareness training required upon onboarding and annually thereafter
• All employee devices require full-disk encryption and screen lock policies
• Access to production environments is restricted, time-limited, and logged
• Mandatory multi-factor authentication for all internal tools and systems
• Immediate access revocation upon employee offboarding

We evaluate the security posture of all third-party vendors before integration and on an ongoing basis. Our vendor assessment process includes:

• Review of SOC 2 Type II reports, ISO 27001 certifications, or equivalent compliance evidence
• Data processing agreements (DPAs) with all vendors that process personal data
• Assessment of data encryption, access controls, and incident response capabilities
• Regular review of vendor security practices (at least annually)
• Contractual obligations for prompt notification of security incidents

• 24/7 uptime monitoring with sub-minute alerting
• Anomaly detection on API usage patterns and authentication attempts
• Automated dependency auditing for supply chain security
• Automated vulnerability scanning on every deployment
• Documented incident response plan with defined severity levels and escalation paths
• Post-incident reviews and root-cause analysis for all security events

• Automated daily database backups retained for 30 days, with point-in-time recovery
• Multi-region infrastructure with automatic failover to minimize downtime
• Defined Recovery Point Objective (RPO) and Recovery Time Objective (RTO) targets
• Disaster recovery procedures tested periodically
• Version-controlled infrastructure-as-code enabling rapid environment reconstruction
• Status page available at status.saut.app for real-time service health

• Regular third-party penetration testing of application and infrastructure
• Automated static application security testing (SAST) integrated into the CI/CD pipeline
• Dependency vulnerability scanning with automated alerts for critical and high severity CVEs
• Code reviews required for all changes to production code, with security-focused review for sensitive areas
• Findings from security assessments are tracked, prioritized, and remediated on defined timelines

Saut is committed to meeting the compliance requirements of our enterprise customers:

• GDPR: Compliant with the EU General Data Protection Regulation and UK GDPR. Data Processing Addenda available for enterprise customers
• CCPA/CPRA: Compliant with the California Consumer Privacy Act and California Privacy Rights Act
• SOC 2 Type II: Audit in progress — estimated completion Q3 2026

Enterprise customers requiring specific compliance documentation or attestations should contact support@saut.app.