SaiBrief is in private beta. This page is an honest, app-owner-maintained disclosure of what is in place today and what is on the roadmap. We have no independent certifications and we do not yet host in-Kingdom. Do not place regulated or classified data in the beta.
Honest about where we are.
This page is written and maintained by the SaiBrief team. It is not an independent certification. We list only controls we have actually shipped, and we separate them clearly from the controls we plan to ship before general availability.
For design-partner reviewers
We do not yet have a DPA, MSA, SLA, security whitepaper or sub-processor PDF ready to send. We will draft these with our first design-partner customers and publish them here once signed.
Become a design partnerWhat is true today
The list below is short on purpose. We would rather understate than overclaim.
Paragraph-level citations
Every generated claim is grounded in a numbered paragraph from your source text and can be inspected in the UI.
Magic-link authentication
Users sign in with a one-time email link via Supabase Auth. No passwords are stored. SSO and MFA are on the roadmap.
Persistent, isolated workspaces
Documents and briefs are stored per-workspace in Postgres with row-level security enforcing logical tenant isolation. Deleting a document permanently removes it, its stored file, and its briefs.
No model training
Per the Lovable AI Gateway's processor terms, customer content is not used to train models. We do not store prompts ourselves for training.
Encrypted in transit
All connections to the SaiBrief app, Supabase, and the AI gateway run over HTTPS/TLS managed by the hosting platforms.
Client-side audit log (preview)
A hash-chained audit log runs in the browser session for demos. It is not yet anchored server-side and is wiped on reload.
Hosting region (today)
Outside KSA
The beta app runs on managed infrastructure outside KSA; documents and briefs are stored with Supabase in the Singapore region. In-Kingdom hosting is on the roadmap.
Inference endpoint (today)
Google Gemini via AI gateway
Document text leaves the user's browser, transits the Lovable AI Gateway, and is processed by Google Gemini. Neither endpoint is in-Kingdom.
Entity
Not yet incorporated in KSA
A Saudi-resident contracting entity is part of the GA plan. We are not ETIMAD-registered today.
On the roadmap before general availability
These are commitments we work toward, not capabilities we have today.
In-Kingdom hosting
Move app hosting and the inference endpoint to a Riyadh-based region with a Saudi-resident entity as data controller.
Tenant isolation + at-rest encryption
Per-workspace key envelope, logical isolation, and AES-256 at rest. None of this is in place during the private beta.
SSO & server-side roles
SAML/OIDC SSO, MFA, and server-side role enforcement. Magic-link sign-in is live today, but the role selector in the app is still a local-only demo control.
Server-side audit + SIEM export
Hash-chained audit anchored on the server with verifiable export to Splunk/Elastic/Sentinel.
Configurable retention + DSR workflow
Per-workspace retention windows and a documented data-subject-rights process.
PDPL & NDMO alignment
DPIA, ROPA and the rest of the procurement-grade artifacts referenced on the Compliance page.
Sub-processors (today)
Third parties that actually process customer content during the private beta.
| Provider | Purpose | Location | Data processed |
|---|---|---|---|
| Supabase | Authentication, database, and private file storage for the private beta. | Singapore (ap-southeast-1) | Account email addresses, uploaded documents and their extracted text, generated briefs and brief versions, and early-access contact requests. |
| Lovable AI Gateway | Application hosting, error telemetry, and AI inference proxy used during the private beta. | Outside KSA | Document text submitted by users for brief generation; application error reports. Per gateway terms, content is not used to train models. |
| Google — Gemini (via the AI gateway) | Underlying large language model that generates briefs and evaluation scores. | Google Cloud regions outside KSA | Document text passed through the gateway. Not retained for training, per the gateway's processor terms. |
Certifications
We have not earned any independent security or privacy certifications. We do not claim alignment we have not implemented.
ISO/IEC 27001
Targeted for post-GA. No audit in progress.
ISO/IEC 27701 (Privacy)
Targeted after ISO 27001.
SOC 2 Type II
Observation period has not started.
CCC — Cloud Computing Compliance (CST)
Mapping in design.
NDMO Data Management
Classification labels live in UI; full alignment work pending.
ETIMAD registration
Will be evaluated before public-sector engagements.
Incident contact
We do not yet operate a 24/7 on-call rotation or a public status page. If you are a design partner and notice a security issue, contact us via the request form and we will respond as quickly as we can.
A dedicated, monitored security mailbox will be published here once provisioned.
Vulnerability reports
We welcome coordinated disclosure from researchers — please report via the contact form until our dedicated security mailbox is provisioned. We do not yet publish a formal safe-harbor policy or PGP key.
Want to help shape the GA controls?
Design-partner customers help us prioritize what ships before general availability.