SaveYa Tech

Security & Trust

Your clients' data stays where it belongs. In your systems.

We build custom AI for firms that handle sensitive information, so security is something we design in from the first conversation. We connect to your tools through their own APIs, we build on infrastructure that is independently audited, and a person stays in the loop on the work that matters. Here is exactly how it works.

Your data stays in your systems

We connect to the tools you already use through their APIs. We don't copy your client information into a separate database of ours to run your workflows, beyond the minimal operational logs described below.

Built on independently audited infrastructure

The platforms we build on hold SOC 2 Type II reports and offer signed Business Associate Agreements. We name every one of them below.

Encrypted in transit

Traffic moves over TLS 1.2 or higher. Credentials live in an encrypted vault, resolved only at run time and kept out of our code and logs.

Scoped access, per client

Every connection is scoped to one client and one set of permissions, isolating it to that client's own tools.

A human approves the important steps

Actions that carry weight wait for a person to review and approve them before they run. You decide which steps get that gate.

A record of what ran

Every automated action is written to an audit log, timestamped, so there is a trail of what happened and when.

Where your data lives

The short version: it lives in your systems, not ours.

When we build an automation, it reads and writes through the APIs of the tools you already own, like your practice-management system, your CRM, your calendar, or your phone system. The data those tools hold stays inside those tools. We are the wiring between them, not a warehouse that keeps a copy.

In transitEverything moves over encrypted connections, TLS 1.2 or higher.
CredentialsThe keys and tokens that let a workflow talk to your tools are held in an encrypted vault and resolved only at run time. Our workflows are built so those keys are not written into application code, and we keep them out of logs.
AI modelsThe AI behind your workflows runs on vendors' commercial API tiers, which under their standard terms do not use the data you send to train their models. We build on that tier by default and can confirm the current terms for any vendor in your build.
RetentionWhere a workflow needs to keep a short operational record, like a log of what ran, we keep only what the workflow needs to function, and we can align retention with your requirements.

The infrastructure we build on

We build on a small, deliberate set of vendors. Each one is independently audited and can sign a Business Associate Agreement where health information is involved. We vet those audits carefully when we choose who to build on. Here is the full list, with a link to each vendor's own security page so you can verify it yourself.

VendorWhat it does in your buildIndependent audits & postureVerify
SupabaseDatabase and authenticationSOC 2 Type II; HIPAA BAA availableTrust page →
VercelApplication hostingSOC 2 Type II; ISO 27001; HIPAA BAA on Pro/EnterpriseTrust page →
RailwayBackend compute for running workflowsSOC 2 Type II; SOC 3; HIPAA add-on availableTrust page →
Anthropic (Claude)The AI models behind the automationsSOC 2 Type II; ISO 27001; ISO 42001; HIPAA BAA on API/EnterpriseTrust page →
Retell AIVoice for AI phone and receptionist buildsSOC 2 Type I & II; HIPAA BAA available self-serveTrust page →

Some builds use additional tools that you already own and choose, like your CRM or phone provider. When a build needs a vendor beyond the list above, we tell you which one and why before we connect it.

How SaveYa Ops keeps your build isolated

Your automations run on SaveYa Ops, the platform we built to run this work safely. A few controls are worth calling out. SaveYa Ops itself runs on the audited infrastructure listed above.

One client, one lane

Every workflow is scoped to a single client, so it reaches only the tools and permissions that client has granted rather than another client's.

Encrypted credential vault

Your API keys and tokens sit in an encrypted vault and are resolved only at run time. They are never written into the app or exposed in logs.

Explicit permission grants

A workflow can only take an action it has been explicitly granted. Access is granted on purpose, not by default.

Locked-down outbound traffic

Workflows are restricted to an approved list of destinations rather than arbitrary internet addresses.

Approval gates on sensitive steps

The steps that carry real consequences pause for a person to approve them before they run.

Full audit log

Every execution is recorded, so there is always a record of what ran, when, and what it touched.

How we think about compliance

You work under real rules, whether that is HIPAA, SEC and FINRA guidance, or your state bar. We build with those rules in mind from the first conversation.

We review the rules before we build.

Before we connect anything that touches client data, we work through the regulatory requirements that apply to your practice.

We sign a BAA when health information is involved.

Where a workflow handles protected health information, we put a Business Associate Agreement in place with you, and we build on subprocessors that will sign one with us.

The certifications belong to the platforms.

The SOC 2 and ISO reports referenced on this page are held by the vendors we build on. We build responsibly on top of them, and we weigh those audits carefully when we choose who to build on.

Straight talk about what we are

We think you should know exactly what you are hiring, so here it is in plain terms.

SaveYa Tech builds and integrates. We connect the AI and the tools you already use into workflows that do real work for your firm. We are careful about security because our clients handle sensitive information, and we hold ourselves to that standard every day.

We are not a certification body, and we do not claim a security certification of our own. The SOC 2 and ISO reports on this page belong to the infrastructure providers we build on, and we are clear about that on purpose. When someone tells you their small shop is "SOC 2 certified" for work like this, it is worth asking what exactly was audited.

What we will always do is tell you the truth about where your data goes, sign the agreements your regulators require, and build on platforms that have done the audits. If a question ever falls outside what we can answer, we will say so and point you to the vendor who can.

Questions, or something to report

If you have a question about how we handle your data, or you believe you have found a security issue, we want to hear about it directly. We read these and we respond. If you report a security issue in good faith, we will work with you on it, and we will not come after you for telling us.

Want to go deeper on any of this?

The consult: one hour with the team. You leave with a clear plan and a real price. Credited toward your build if you move forward.

Book a $250 Consult →

Last reviewed: July 2026