SaiBrief is in private beta. This page is an honest, app-owner-maintained disclosure of what is in place today and what is on the roadmap. We have no independent certifications and we do not yet host in-Kingdom. Do not place regulated or classified data in the beta.

Trust Center · maintained by SaiBrief

Honest about where we are.

This page is written and maintained by the SaiBrief team. It is not an independent certification. We list only controls we have actually shipped, and we separate them clearly from the controls we plan to ship before general availability.

For design-partner reviewers

We do not yet have a DPA, MSA, SLA, security whitepaper or sub-processor PDF ready to send. We will draft these with our first design-partner customers and publish them here once signed.

Become a design partner

What is true today

The list below is short on purpose. We would rather understate than overclaim.

Paragraph-level citations

Every generated claim is grounded in a numbered paragraph from your source text and can be inspected in the UI.

Magic-link authentication

Users sign in with a one-time email link via Supabase Auth. No passwords are stored. SSO and MFA are on the roadmap.

Persistent, isolated workspaces

Documents and briefs are stored per-workspace in Postgres with row-level security enforcing logical tenant isolation. Deleting a document permanently removes it, its stored file, and its briefs.

No model training

Per the Lovable AI Gateway's processor terms, customer content is not used to train models. We do not store prompts ourselves for training.

Encrypted in transit

All connections to the SaiBrief app, Supabase, and the AI gateway run over HTTPS/TLS managed by the hosting platforms.

Client-side audit log (preview)

A hash-chained audit log runs in the browser session for demos. It is not yet anchored server-side and is wiped on reload.

Hosting region (today)

Outside KSA

The beta app runs on managed infrastructure outside KSA; documents and briefs are stored with Supabase in the Singapore region. In-Kingdom hosting is on the roadmap.

Inference endpoint (today)

Google Gemini via AI gateway

Document text leaves the user's browser, transits the Lovable AI Gateway, and is processed by Google Gemini. Neither endpoint is in-Kingdom.

Entity

Not yet incorporated in KSA

A Saudi-resident contracting entity is part of the GA plan. We are not ETIMAD-registered today.

On the roadmap before general availability

These are commitments we work toward, not capabilities we have today.

In-Kingdom hosting

Move app hosting and the inference endpoint to a Riyadh-based region with a Saudi-resident entity as data controller.

Tenant isolation + at-rest encryption

Per-workspace key envelope, logical isolation, and AES-256 at rest. None of this is in place during the private beta.

SSO & server-side roles

SAML/OIDC SSO, MFA, and server-side role enforcement. Magic-link sign-in is live today, but the role selector in the app is still a local-only demo control.

Server-side audit + SIEM export

Hash-chained audit anchored on the server with verifiable export to Splunk/Elastic/Sentinel.

Configurable retention + DSR workflow

Per-workspace retention windows and a documented data-subject-rights process.

PDPL & NDMO alignment

DPIA, ROPA and the rest of the procurement-grade artifacts referenced on the Compliance page.

Sub-processors (today)

Third parties that actually process customer content during the private beta.

ProviderPurposeLocationData processed
SupabaseAuthentication, database, and private file storage for the private beta.Singapore (ap-southeast-1)Account email addresses, uploaded documents and their extracted text, generated briefs and brief versions, and early-access contact requests.
Lovable AI GatewayApplication hosting, error telemetry, and AI inference proxy used during the private beta.Outside KSADocument text submitted by users for brief generation; application error reports. Per gateway terms, content is not used to train models.
Google — Gemini (via the AI gateway)Underlying large language model that generates briefs and evaluation scores.Google Cloud regions outside KSADocument text passed through the gateway. Not retained for training, per the gateway's processor terms.

Certifications

We have not earned any independent security or privacy certifications. We do not claim alignment we have not implemented.

ISO/IEC 27001

Targeted for post-GA. No audit in progress.

Not certified

ISO/IEC 27701 (Privacy)

Targeted after ISO 27001.

Not certified

SOC 2 Type II

Observation period has not started.

Not certified

CCC — Cloud Computing Compliance (CST)

Mapping in design.

Not certified

NDMO Data Management

Classification labels live in UI; full alignment work pending.

Not certified

ETIMAD registration

Will be evaluated before public-sector engagements.

Not registered

Incident contact

We do not yet operate a 24/7 on-call rotation or a public status page. If you are a design partner and notice a security issue, contact us via the request form and we will respond as quickly as we can.

A dedicated, monitored security mailbox will be published here once provisioned.

Vulnerability reports

We welcome coordinated disclosure from researchers — please report via the contact form until our dedicated security mailbox is provisioned. We do not yet publish a formal safe-harbor policy or PGP key.

Want to help shape the GA controls?

Design-partner customers help us prioritize what ships before general availability.