Security & Trust
Your clients' data stays where it belongs. In your systems.
We build custom AI for firms that handle sensitive information, so security is something we design in from the first conversation. We connect to your tools through their own APIs, we build on infrastructure that is independently audited, and a person stays in the loop on the work that matters. Here is exactly how it works.
Your data stays in your systems
We connect to the tools you already use through their APIs. We don't copy your client information into a separate database of ours to run your workflows, beyond the minimal operational logs described below.
Built on independently audited infrastructure
The platforms we build on hold SOC 2 Type II reports and offer signed Business Associate Agreements. We name every one of them below.
Encrypted in transit
Traffic moves over TLS 1.2 or higher. Credentials live in an encrypted vault, resolved only at run time and kept out of our code and logs.
Scoped access, per client
Every connection is scoped to one client and one set of permissions, isolating it to that client's own tools.
A human approves the important steps
Actions that carry weight wait for a person to review and approve them before they run. You decide which steps get that gate.
A record of what ran
Every automated action is written to an audit log, timestamped, so there is a trail of what happened and when.
Where your data lives
The short version: it lives in your systems, not ours.
When we build an automation, it reads and writes through the APIs of the tools you already own, like your practice-management system, your CRM, your calendar, or your phone system. The data those tools hold stays inside those tools. We are the wiring between them, not a warehouse that keeps a copy.
The infrastructure we build on
We build on a small, deliberate set of vendors. Each one is independently audited and can sign a Business Associate Agreement where health information is involved. We vet those audits carefully when we choose who to build on. Here is the full list, with a link to each vendor's own security page so you can verify it yourself.
| Vendor | What it does in your build | Independent audits & posture | Verify |
|---|---|---|---|
| Supabase | Database and authentication | SOC 2 Type II; HIPAA BAA available | Trust page → |
| Vercel | Application hosting | SOC 2 Type II; ISO 27001; HIPAA BAA on Pro/Enterprise | Trust page → |
| Railway | Backend compute for running workflows | SOC 2 Type II; SOC 3; HIPAA add-on available | Trust page → |
| Anthropic (Claude) | The AI models behind the automations | SOC 2 Type II; ISO 27001; ISO 42001; HIPAA BAA on API/Enterprise | Trust page → |
| Retell AI | Voice for AI phone and receptionist builds | SOC 2 Type I & II; HIPAA BAA available self-serve | Trust page → |
Some builds use additional tools that you already own and choose, like your CRM or phone provider. When a build needs a vendor beyond the list above, we tell you which one and why before we connect it.
How SaveYa Ops keeps your build isolated
Your automations run on SaveYa Ops, the platform we built to run this work safely. A few controls are worth calling out. SaveYa Ops itself runs on the audited infrastructure listed above.
One client, one lane
Every workflow is scoped to a single client, so it reaches only the tools and permissions that client has granted rather than another client's.
Encrypted credential vault
Your API keys and tokens sit in an encrypted vault and are resolved only at run time. They are never written into the app or exposed in logs.
Explicit permission grants
A workflow can only take an action it has been explicitly granted. Access is granted on purpose, not by default.
Locked-down outbound traffic
Workflows are restricted to an approved list of destinations rather than arbitrary internet addresses.
Approval gates on sensitive steps
The steps that carry real consequences pause for a person to approve them before they run.
Full audit log
Every execution is recorded, so there is always a record of what ran, when, and what it touched.
How we think about compliance
You work under real rules, whether that is HIPAA, SEC and FINRA guidance, or your state bar. We build with those rules in mind from the first conversation.
We review the rules before we build.
Before we connect anything that touches client data, we work through the regulatory requirements that apply to your practice.
We sign a BAA when health information is involved.
Where a workflow handles protected health information, we put a Business Associate Agreement in place with you, and we build on subprocessors that will sign one with us.
The certifications belong to the platforms.
The SOC 2 and ISO reports referenced on this page are held by the vendors we build on. We build responsibly on top of them, and we weigh those audits carefully when we choose who to build on.
Straight talk about what we are
We think you should know exactly what you are hiring, so here it is in plain terms.
SaveYa Tech builds and integrates. We connect the AI and the tools you already use into workflows that do real work for your firm. We are careful about security because our clients handle sensitive information, and we hold ourselves to that standard every day.
We are not a certification body, and we do not claim a security certification of our own. The SOC 2 and ISO reports on this page belong to the infrastructure providers we build on, and we are clear about that on purpose. When someone tells you their small shop is "SOC 2 certified" for work like this, it is worth asking what exactly was audited.
What we will always do is tell you the truth about where your data goes, sign the agreements your regulators require, and build on platforms that have done the audits. If a question ever falls outside what we can answer, we will say so and point you to the vendor who can.
Questions, or something to report
If you have a question about how we handle your data, or you believe you have found a security issue, we want to hear about it directly. We read these and we respond. If you report a security issue in good faith, we will work with you on it, and we will not come after you for telling us.
Want to go deeper on any of this?
The consult: one hour with the team. You leave with a clear plan and a real price. Credited toward your build if you move forward.
Book a $250 Consult →Last reviewed: July 2026
