Compliance

Saaya is built for regulated workloads. We hold SOC 2 Type II, align with India's DPDPA, and run a HIPAA-aware control set for healthcare deployments. Data residency is configurable per workspace across the EU, India, and the US.

SOC 2 Type II

We are audited annually by an independent third party against the AICPA Trust Services Criteria, Security, Availability, Confidentiality, and Processing Integrity. Customers on Business and above can request the latest report from `Settings → Compliance` under NDA.

India DPDPA

For workspaces with India residency, Saaya processes personal data under the Digital Personal Data Protection Act, 2023. We provide consent capture hooks at session start, honour data-principal access / erasure requests, and store all session data inside Indian regions (Mumbai + Hyderabad).

HIPAA-aware

Saaya runs a HIPAA-aware control set: encryption at rest and in transit, access logging on PHI, de-identification of transcripts on export, and a Business Associate Agreement (BAA) for healthcare customers. We are not a covered entity, your deployment is, and the BAA is the contractual bridge.

Data residency

  • EU, Frankfurt + Dublin. Default for EU-headquartered customers.
  • India, Mumbai + Hyderabad. Default for India-headquartered customers.
  • US, Virginia + Oregon. Default for US-headquartered customers.
  • Cross-region replication is opt-in only; bytes do not leave the chosen region without explicit configuration.
residency.ts
await saaya.org.update(orgId, {
  residency: "in",   // "eu" | "in" | "us"
  crossRegionReplication: false,
});

Subprocessors and DPAs

A live list of subprocessors (LLM, STT, TTS, avatar, infra) is maintained at saaya.ai/subprocessors. We sign a Data Processing Addendum on request and notify customers 30 days ahead of any subprocessor change.
PreviousCost trackingNextAPI reference
Was this page helpful?