Sociail · Security
Security posture
Security commitments

Security, operationally.

How Sociail protects your workspace, your data, and your AI interactions — what is in place today, what is still maturing, and how to reach our security team if something looks wrong.

Report a security issueRead /trust
01Security posture

What's in place, and what we're working toward.

We're a small, focused team. Our security posture reflects that — strong on the fundamentals, deliberate about the formal certifications that take real engineering effort to do correctly. We'd rather be honest about where we are than over-claim and disappoint.

In place today

Operational security

  • +
    Encryption in transit
    Encrypted in transit across public endpoints, including the web workspace, API, and Browser Control extension.
  • +
    Encryption at rest
    Encrypted at rest at the storage layer for workspace content, artifacts, and AI receipts.
  • +
    Access controls & least privilege
    Production data access is scoped to approved operational paths, with audit and review discipline around support or admin access.
  • +
    Event records
    Approval cards, AI actions, and selected workspace administrative events are recorded; coverage expands as Early Access surfaces mature.
  • +
    Provider governance
    External AI provider routes must pass policy, retention, and provider no-training checks before customer context may be sent.
  • +
    Vulnerability response
    Internal triage and patch process for reported security issues.
Working toward

Formal certifications

  • ·
    SOC 2 Type II
    Roadmap items underway. Audit timing tied to readiness, not press releases.
  • ·
    Bug bounty program
    Currently coordinated responsible disclosure (see below). A formal bounty program is planned once volume and process maturity justify it.
  • ·
    HIPAA / BAA path
    Not in scope for Early Access. Healthcare teams should hold off until we explicitly publish this capability.
  • ·
    Data residency options
    Currently US-hosted. EU residency is a roadmap item; ask if it is a hard requirement for your team.
  • ·
    SAML / SSO
    Reviewed for Teams pilots by request during Early Access. Broader self-serve administration is planned for Teams packaging.
02Responsible disclosure

If you find a vulnerability, tell us first.

We treat security researchers as collaborators. If you find something that looks like a vulnerability — in chat.sociail.com, the API, the Browser Control extension, or anywhere else in the surface — please contact us before public disclosure.

What we ask

Email security@sociail.com with a clear description of the issue, reproduction steps, and your assessment of severity. We aim to acknowledge good-faith reports promptly during normal business operations. We'll keep you updated as we triage and remediate.

Please give us reasonable time to fix the issue before publishing details (we coordinate disclosure timing with researchers). We do not intend to pursue legal action against good-faith security research conducted within these guidelines.

Out of scope: denial-of-service testing, social engineering against the team, physical attacks, and findings that require access to a victim's account or device beyond the user's normal usage.

security@sociail.com
03Subprocessors

Who else processes your data.

Sociail uses a small set of subprocessors to deliver the service — hosting, authentication, AI model providers, support, analytics, and email infrastructure. We use vendors under data-processing terms appropriate to the service.

Subprocessor categories

Current subprocessor categories for Early Access:

Cloud hostingAuthenticationAI model providersPaymentsEmail deliveryAnalyticsSupport tooling

The current named subprocessor list is available on request during Early Access. We plan to publish it in workspace settings with a notification path for material changes. Email security@sociail.com to request the current list.

04The trust commitments

Security is one layer. Trust is the rest.

Security protects the system. Trust explains how AI participates inside that system — how memory is scoped, how approvals work, how Browser Control is bound, and how users stay in control. Both pages matter; they cover different ground.

Companion page
Privacy-first AI — operational commitments
What we store, what we don't, how memory works, how approvals work, how you delete.
/trust