How we protectSecurity & Privacy
A transparent overview of the technical controls, compliance commitments, and responsible-disclosure process behind the SAMI platform.
Data Protection
How your data is stored, encrypted, and isolated.
Encryption at rest
All sensitive data stored on SAMI servers is encrypted using industry-standard authenticated encryption. Encryption keys are versioned and rotated regularly; older key versions remain available only for decryption during the transition window.
Encryption in transit
All client-to-server and service-to-service traffic is protected by TLS 1.2 or higher. Plaintext connections are rejected.
Database isolation
Customer data is stored in a managed, dedicated database. Access is restricted by role-based policies; no cross-customer data access is possible at the query level.
Versioned encryption keys
SAMI uses a versioned key ring so that key rotation does not require re-encryption of the entire dataset at once. Each ciphertext is tagged with the key version that produced it.
Authentication
Modern credential management and session security.
Industry-standard password hashing
User passwords are never stored in plaintext. SAMI uses an OWASP-recommended memory-hard algorithm to hash every password before storage.
Optional two-factor authentication
Users can enable TOTP-based 2FA (compatible with any authenticator app). Backup codes are provided at enrolment and can be regenerated at any time.
OAuth single sign-on
Sign in with GitHub or Google. OAuth flows follow the Authorization Code grant; SAMI never stores your OAuth provider credentials.
Asymmetrically signed session tokens
Access tokens are signed with an asymmetric key pair. Short-lived access tokens (minutes) are paired with longer-lived refresh tokens. The private signing key lives exclusively on the backend — the frontend only holds the public verification key.
Session revocation
Refresh tokens can be revoked for all sessions simultaneously. Signing out from one device does not affect others unless you explicitly choose "sign out everywhere".
Compliance
Your rights under GDPR and how to exercise them.
GDPR / DSGVO
SAMI processes personal data in accordance with GDPR (Art. 13/14). Data is processed on servers located within the EU. A Data Processing Agreement (DPA) is available on request.
Cookie consent
Non-essential cookies are loaded only after explicit consent. You can manage your preferences at any time under Account → Privacy.
Manage cookie preferences →Data export
You can request a machine-readable export of all personal data SAMI holds about you from your account settings.
Export your data →Account and data deletion
You can permanently delete your account and all associated data at any time. Deletion is irreversible and complete within 30 days.
Delete your account →Right of access
You have the right to know what data SAMI holds about you and why. Contact privacy@sami-agent.com to exercise this right.
Subprocessors
Third-party services that process data on our behalf.
SAMI uses a small set of audited subprocessors for hosting, payment processing, and transactional email delivery. Each subprocessor is bound by a Data Processing Agreement and processes only the data necessary for their specific function.
The current subprocessor list is maintained in our Privacy Policy.
View the full subprocessor list in our Privacy Policy →Vulnerability Disclosure
Found a security issue? We want to hear from you.
How to report
Send a detailed description to security@sami-agent.com. Include steps to reproduce, affected component, and potential impact.
PGP key available on request
Response time
We acknowledge every vulnerability report within 72 hours. We aim to provide an initial assessment within 7 days and to deploy a fix within 30 days for confirmed issues.
Scope & bounties
We accept reports for the SAMI web application, API, and Desktop IDE. We do not currently operate a paid bug-bounty programme, but we do credit researchers in our changelog (with their consent).
Coordinated disclosure: Please allow us a reasonable fix window before publishing details publicly. We commit to keeping you informed of progress and to crediting your discovery.
Operational Security
How we manage access and monitor our infrastructure.
- Production access is restricted to a minimal team on a need-to-know basis.
- Administrative actions are recorded in an immutable audit log.
- Rate-limiting and abuse detection are applied to all public-facing endpoints.
- Dependencies are monitored for known vulnerabilities; critical patches are applied promptly.
Questions about our security posture?
For security inquiries, compliance questions, or DPA requests, reach out to us directly.