Security

What We Store

• Workflow definitions (the steps, not the data)
• Execution metadata (timestamps, status, duration)
• Checkpoint state (serialized workflow state)
• Logs and observability data (if enabled)

All workflow data is encrypted at rest (AES-256) and in transit (TLS 1.3). Storage is isolated per customer - no shared databases.

What We Don't Store

• Your LLM API keys (you configure these in your environment)
• Raw prompt content (unless you explicitly enable logging)
• LLM responses (unless you explicitly enable logging)
• Customer data processed by your workflows

We are workflow orchestration infrastructure, not a data warehouse. Your sensitive data stays in your systems.

Data Retention

Workflow execution data: 90 days default, configurable up to 1 year. Checkpoint state: 30 days default, configurable. Logs: 30 days default, configurable. You can delete data anytime via CLI or API.

On account cancellation, all data is deleted within 30 days. No backup retention after that period.

Encryption

Launching Q1 2026 with first customers:

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Encrypted database backups
• Key rotation every 90 days

Self-hosted deployments support your own encryption keys (BYOK for encryption).

Network Security

Launching Q1 2026 with first customers:

• Private VPC for all infrastructure
• No public database access
• DDoS protection via Cloudflare
• Rate limiting on all API endpoints

Access Control

Launching Q1 2026 with first customers:

• Role-based access control (RBAC) for team members
• Multi-factor authentication (MFA) required for admin access
• Audit logs for all access and modifications

Planned based on enterprise demand:

• SSO via SAML 2.0 (Enterprise tier)

Deployment Options

Cloud (Managed by Sanar):

• Hosted on AWS in US-East-1 (additional regions available)
• Hosted on SOC 2 Type II compliant provider (AWS)
• Automatic security patches and updates

Self-Hosted (You Manage):

• Deploy in your VPC/infrastructure
• You control all data, encryption keys, and access
• Air-gapped deployments supported (Enterprise)

Current Status

Pre-launch (Q1 2026). SOC 2 Type II certification is planned for 2026, pending successful revenue traction and customer demand. ISO 27001 will follow based on enterprise customer requirements. We prioritize compliance investments as the business scales.

GDPR Compliance

Data Processing Agreements (DPA) will be available for EU customers at launch. Technical GDPR features (right to deletion API, data portability, EU data residency) will be implemented based on customer demand.

If you have EU compliance requirements, contact ops@sanar.co to discuss your needs. We will prioritize GDPR features if there is sufficient EU customer interest.

HIPAA Compliance

Not currently offered. HIPAA compliance requires Business Associate Agreements (BAA), formal risk assessments, compliance audits, and significant legal overhead. While our architecture supports the technical requirements (encryption, access controls, audit logs), we do not currently offer HIPAA-compliant deployments or sign BAAs.

If you have healthcare use cases requiring HIPAA compliance, contact us at ops@sanar.co. We will consider HIPAA certification if there is sufficient enterprise customer demand to justify the investment.

SOC 2 Type II

Planned for 2026 pending business traction. SOC 2 certification requires 3-12 months of audit observation and significant investment ($50k-100k). We will pursue this as enterprise customer demand warrants. Early access customers can request interim security questionnaire responses and infrastructure documentation.

Code Security

• Automated dependency scanning for known vulnerabilities
• Static analysis on every commit
• No secrets in source code (enforced via pre-commit hooks)
• Manual security review for critical dependencies

Testing

• Automated security tests in CI/CD pipeline
• Penetration testing planned post-launch based on revenue
• Third-party security audit planned as enterprise demand warrants

Incident Response

Security incident response plan in place. Target response times (best effort for solo founder):

• Critical: 4 hour acknowledgment, 24 hour initial response
• High: 24 hour acknowledgment, 48 hour initial response
• Medium/Low: 48 hour acknowledgment, best effort resolution

Customers are notified of security incidents affecting their data within 24 hours of discovery. After raising capital, we will establish 24/7 on-call rotation with contractual SLAs.

What We Use Data For

• Running your workflows (obviously)
• Billing and account management
• Product improvements (anonymized aggregate metrics only)
• Security monitoring and incident response

What We Don't Do

• Sell your data to third parties (ever)
• Train models on your workflows or data
• Share data with advertisers or marketing companies
• Use your data for any purpose not listed above

Third-Party Services

We use minimal third-party services, all with their own security certifications:

• AWS (infrastructure hosting - SOC 2, ISO 27001, HIPAA compliant)
• Stripe (payment processing - PCI DSS Level 1)
• Vercel (marketing site only - no customer data)

Your workflow data never touches marketing/analytics services. We do not use Google Analytics, Facebook Pixel, or similar tracking tools in the product.