Security

Security, operationally.

How Sociail protects your workspace, your data, and your AI interactions — what's in place today, what we're working toward, and how to reach our security team if something looks wrong.

Report a security issue Read /trust

01Security posture

What's in place, and what we're working toward.

We're a small, focused team. Our security posture reflects that — strong on the fundamentals, deliberate about the formal certifications that take real engineering effort to do correctly. We'd rather be honest about where we are than over-claim and disappoint.

In place today

Operational security

+
Encryption in transit
TLS 1.3 across all endpoints — chat.sociail.com, api.sociail.com, the Browser Control extension.
+
Encryption at rest
AES-256 for workspace content, artifacts, and AI receipts at the storage layer.
+
Access controls & least privilege
Engineer access to production data is logged, scoped, and reviewed.
+
Audit logging
Approval cards, AI actions, and workspace administrative events are recorded.
+
Provider contracts
AI model providers operate under written agreements that prohibit training on your content.
+
Vulnerability response
Internal triage and patch process for reported security issues.

Working toward

Formal certifications

·
SOC 2 Type II
Roadmap items underway. Audit timing tied to readiness, not press releases.
·
Bug bounty program
Currently coordinated responsible disclosure (see below). A formal bounty program will follow once volume justifies it.
·
HIPAA / BAA path
Not in scope for Early Access. Healthcare teams should hold off until we explicitly publish this capability.
·
Data residency options
Currently US-hosted. EU residency is a roadmap item; ask if it is a hard requirement for your team.
·
SAML / SSO
Available for Teams pilots by request during Early Access. Will be self-serve on Teams plans post-launch.

02Responsible disclosure

If you find a vulnerability, tell us first.

We treat security researchers as collaborators. If you find something that looks like a vulnerability — in chat.sociail.com, the API, the Browser Control extension, or anywhere else in the surface — please contact us before public disclosure.

What we ask

Email security@sociail.com with a clear description of the issue, reproduction steps, and your assessment of severity. We acknowledge reports within two business days. We'll keep you updated on status as we triage and remediate.

Please give us reasonable time to fix the issue before publishing details (we coordinate disclosure timing with researchers). We don't pursue legal action against good-faith security research conducted within these guidelines.

Out of scope: denial-of-service testing, social engineering against the team, physical attacks, and findings that require access to a victim's account or device beyond the user's normal usage.

security@sociail.com

03Subprocessors

Who else processes your data.

Sociail uses a small set of subprocessors to deliver the service — hosting, authentication, AI model providers, support, analytics, and email infrastructure. Each operates under a written data processing agreement.

Subprocessor categories

The current categories of subprocessor used by Sociail:

Cloud hostingAuthenticationAI model providersPaymentsEmail deliveryAnalyticsSupport tooling

The current list of named subprocessors is available on request during Early Access. After launch, we'll publish the full list in workspace settings with a notification mechanism for material changes. Email security@sociail.com to request the current list.

04The trust commitments

Security is one layer. Trust is the rest.

Security is the technical practice of keeping data safe. Trust is what we do with that safety — how AI participates, how memory is scoped, how approvals work, how Browser Control is bound. Both pages matter; they cover different ground.

Companion page

Privacy First AI — operational commitments

What we store, what we don't, how memory works, how approvals work, how you delete.

/trust