Your feedback, test data, and team collaboration belong to you. We protect it with the same discipline we expect from any tool we'd trust ourselves.
Where sarvaOS runs and how the foundation is hardened.
The entire sarvaOS platform is built on top of a tier-one public cloud provider, deployed across multiple availability zones in the regions you choose. Workloads automatically scale to meet demand and our cloud provider transparently brings up additional capacity when traffic increases.
Data is stored in managed database services that support point-in-time recovery, so we can roll back to a recent moment in the event of developer error or data corruption.
The cloud provider's underlying data centers carry independent certifications including SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and HIPAA. These attestations apply to the physical infrastructure that sarvaOS runs on; we detail our own posture in the sections below.
The data protection regulations our processes are designed to meet.
We process personal data of EU residents in line with the General Data Protection Regulation.
We process personal data of UK residents in line with the UK General Data Protection Regulation.
sarvaOS is an early-stage platform and we are not yet pursuing formal third-party certifications such as SOC 2 or ISO 27001. We build to industry best practices today and will publish audit reports as the company matures. Customers under NDA can request our current security questionnaire and policy summaries.
Controls at the data centers that host sarvaOS.
How traffic and servers are protected.
How the products themselves are built and defended.
The people, devices, and processes behind the platform.
What happens when things go wrong.
How we keep sarvaOS up.
Transparency about what we store, where, and for how long.
Production data is stored in secure data centers in the regions you choose. EU customers can request that data remain in the EU; enterprise customers can request other regional pinning where supported by our cloud provider.
We retain customer data for as long as your account is active. When you delete your account, we permanently remove or anonymize associated personal data within 30 days, except where retention is required by law. Encrypted backups are purged on their normal rotation schedule.
We carefully vet every subprocessor and bind them by contractual confidentiality and data protection obligations. We maintain a current list of subprocessors and notify customers in advance of material changes. Contact privacy@sarvaos.com for the full list.
You own the content you bring into sarvaOS. We process it only to provide and improve the services you've asked for, and we never sell it. You can export your data at any time from within the product.
If you find a vulnerability, we want to hear about it.
We welcome reports from independent security researchers. If you believe you have discovered a security vulnerability in any sarvaOS product or property, please email security@sarvaos.com with a clear description and reproduction steps. We will acknowledge your report within one business day and keep you updated as we investigate.
Please act in good faith: avoid privacy violations, data destruction, and service degradation. We will not pursue legal action against researchers who follow these guidelines and give us reasonable time to remediate before public disclosure.
Talk to our security team for questionnaires, DPAs, and architecture details.
Contact Security Team