Security & Compliance
Your data security and privacy are our top priorities. We implement industry-leading practices to protect your information.
Committed to protecting your data
At Saleboy, security isn't an afterthought—it's fundamental to everything we build. We understand that you're entrusting us with sensitive sales and customer data, and we take that responsibility seriously. Our security program is designed to protect your data throughout its lifecycle, from collection to storage to processing.
Data Collection & Processing
What we collect and why
We collect only the data necessary to provide our service effectively:
- •Account information: Email, name, company details for authentication and communication
- •CRM data: Lead and contact information synced from your CRM for enrichment and scoring
- •Usage data: How you interact with our platform to improve suggestions and evaluate performance
- •Outcome data: Email responses, meeting outcomes, and deal results to train our models
Data minimization principles
We follow strict data minimization practices. We don't collect data we don't need, and we regularly review our data retention policies to ensure we're only keeping what's necessary. When possible, we aggregate and anonymize data to protect individual privacy while still gaining valuable insights.
Data retention policies
We retain data only as long as necessary to provide our services and comply with legal obligations. When you delete your account, we permanently remove your personal data within 30 days, though some anonymized data may be retained for model training purposes in accordance with our privacy policy.
PII Handling
Types of PII we process
We process personally identifiable information (PII) including names, email addresses, job titles, phone numbers, and company information. We understand the sensitivity of this data and implement robust controls to protect it.
Encryption at rest and in transit
All data is protected with industry-standard encryption:
- •At rest: AES-256 encryption for all stored data
- •In transit: TLS 1.3 for all network communications
- •Database: Encrypted backups with secure key management
Access controls and least privilege
We implement role-based access controls (RBAC) throughout our system. Team members only have access to the data they need to perform their job functions. All access to production systems is logged and monitored. We use multi-factor authentication (MFA) for all administrative access, and we regularly review access permissions.
Security Practices
Regular Security Audits
We conduct quarterly internal security audits and annual third-party assessments to identify and remediate vulnerabilities.
Penetration Testing
We engage independent security firms to perform penetration testing on a regular basis, ensuring our defenses are robust.
Vulnerability Disclosure
We maintain a responsible disclosure policy. Security researchers can report vulnerabilities to contact@saleboy.com.
Incident Response
We have documented incident response procedures, including escalation paths and communication protocols.
Compliance
SOC 2 Type II (In Progress)
We are actively pursuing SOC 2 Type II certification, which validates our security, availability, processing integrity, confidentiality, and privacy controls. We expect to complete this certification in Q2 2025.
GDPR Compliance
We comply with the General Data Protection Regulation (GDPR) for all EU data subjects. This includes providing data access, portability, deletion, and rectification rights. We maintain data processing agreements (DPAs) with all our subprocessors.
CCPA Compliance
We comply with the California Consumer Privacy Act (CCPA) and provide California residents with rights to know, delete, and opt out of the sale of their personal information. We do not sell personal information.
Data Processing Agreements
We provide Data Processing Agreements (DPAs) to customers who require them for compliance purposes. Contact us for a copy of our standard DPA.
Subprocessors
We carefully vet all third-party services that process customer data. Below are our current subprocessors and their roles:
Cloud Infrastructure
AWS (Amazon Web Services) - Primary hosting and data storage. SOC 2 Type II certified, ISO 27001 compliant.
Email Services
SendGrid - Transactional email delivery. GDPR compliant with available DPA.
Analytics
PostHog - Product analytics with data anonymization. Self-hosted option available for enterprise customers.
CRM Integrations
HubSpot, Salesforce - CRM data synchronization via OAuth. Data processed according to their respective security standards.
We notify customers of any changes to our subprocessor list at least 30 days in advance.
Security Incident & Breach Policy
Notification procedures
In the unlikely event of a security breach that affects customer data, we will notify affected customers within 72 hours of confirming the breach. We will provide details about what data was affected, what we're doing to remediate the issue, and what steps customers should take to protect themselves.
Response timeline
Our incident response process includes:
- •Immediate: Contain the incident and prevent further damage
- •Within 24 hours: Assess the scope and impact of the incident
- •Within 72 hours: Notify affected customers and relevant authorities
- •Post-incident: Conduct root cause analysis and implement preventive measures
Contact information
For security inquiries, vulnerability reports, or to report a suspected incident, please contact our security team at contact@saleboy.com
Questions about our security practices?
We're happy to discuss our security program in detail. Our team is available to answer questions and provide additional documentation as needed.