Everything you put into Sarrai — conversations, documents, customer info, procedures — stays yours. We host in Europe, work only with European providers, and don't train AI models on your data. No exceptions, no fine print.
Sarrai runs on European infrastructure, processes only within Europe, and uses no services that send your data — even temporarily — outside the EU. No replica to American data centres, no "global CDN" for sensitive content, no hidden transit through third countries.
GDPR is a minimum. Our position goes further.
The AI models Sarrai works with are never trained on your content. Not by us, not by our providers. Your knowledge base is only visible to you and whoever you grant access — Sarrai itself doesn't look over your shoulder, unless you explicitly ask us to for support.
No opt-in line you have to untick. This is the default.
Stopping with Sarrai tomorrow? You export your full knowledge base in an open format, and we erase whatever is on our systems within the period the law provides. No holding your content hostage, no negotiating, no "contact your account manager".
Ownership isn't a feature. It's the agreement.
European data protection law is among the strictest in the world. But anyone who has their data processed by American providers — even ones offering "European regions" — falls under the CLOUD Act. That law lets American authorities request data wherever in the world it sits, without you needing to know.
That's why we deliberately choose European providers only: for hosting, for AI inference, for storage, for monitoring. Not because it's easier (it isn't), but because it's the only way to say with certainty: your data is under European law, with no foreign back door.
For some companies that makes no difference. For others — lawyers, accountancy firms, healthcare providers, industrial SMEs with sensitive IP — it's a hard requirement. We build for that second group, and gladly bring the first along too.
A summary. For the full technical description we refer to our security whitepaper — available on request for customers and prospects under NDA.
Infrastructure at OVHcloud and Scaleway, data centres in Belgium. No replicas outside the EU.
AES-256 at rest, TLS 1.3 in transit. Internal network segmentation per customer.
Roles, SSO and an audit trail on every action. You decide who sees what, down to article level.
Sarrai staff don't look into your data. Support access only after your explicit approval, always temporary.
Full knowledge base exportable in Markdown/JSON. No vendor lock-in, neither on content nor on structure.
Breach notification within 72 hours — by law. Our practice: same day, in plain language, with what we're doing.
We deliberately keep the list short. Every provider is established in the EU and processes data exclusively within the EU. Do we change something? Then we let you know — not after the fact.
If something's missing, email us. We answer personally.
If you work with sensitive information — legal, financial, medical, industrial IP — we're happy to talk it through personally before you buy anything. Get in touch, we answer the same day.
