Security & Privacy Policy

Effective date: May 2026

hello@sagastud.io

EU infrastructure All data stored exclusively in Belgium and Germany
GDPR compliant Full compliance with EU data protection regulation
EU AI Act High-Risk AI System framework for Digital Twins
Encrypted transit TLS 1.2+ and AES-256 encryption throughout
Infrastructure

Where your data lives

Saga operates a cloud-native infrastructure with no on-premise servers. All data is stored exclusively within the European Union on certified infrastructure.

  • Google Cloud · EU-West · Belgium · SOC 2 Type II · ISO 27001
  • Supabase · Frankfurt · Germany · SOC 2 Type II · ISO 27001

No personal data is transferred outside the EU/EEA without adequate safeguards. Both providers maintain continuous security monitoring, automated patching, and vulnerability scanning as part of their certified operations.

Data protection

How we protect your data

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256.

Access to all systems is controlled via role-based access controls and multi-factor authentication. No shared or generic admin accounts are used.

Security-relevant events including authentication, data access, and API calls are logged continuously via Google Cloud Logging and Supabase audit logs.

Infrastructure-level security patches are applied automatically by our providers. Critical application-layer patches are deployed immediately upon identification.

All team devices use full-disk encryption (FileVault), MFA for system access, and current OS versions maintained through automatic updates.

Compliance

Regulatory frameworks

GDPR — All personal data is processed in accordance with EU GDPR. Saga acts as data controller for model data under Digital Twin agreements. Data subjects retain full rights of access, rectification, and erasure.

EU AI Act (Regulation 2024/1689) — Saga's Digital Twin platform is classified as a High-Risk AI System. We maintain a compliance framework including technical documentation, conformity assessments, and data governance protocols.

ISO 27001 alignment — Saga's internal security program is being developed in alignment with ISO 27001 principles. Our infrastructure providers are independently audited against this standard annually.

Digital Twins

Model consent and data handling

Saga maintains direct contractual relationships with all individuals whose likeness is used in Digital Twin systems. All models provide informed consent under agreements that cover compensation, usage restrictions, and withdrawal rights.

Digital Twin assets may not be used to train third-party AI models, create derivative AI systems, or for any purpose not explicitly approved in the relevant campaign licence. If a model withdraws consent, all usage ceases immediately.

Reference images used in Digital Twin production are handled under Saga's EU AI Act compliance framework and stored exclusively on EU-based infrastructure with strict access controls.

Data minimisation

What data we collect and why

Saga collects only the data necessary to deliver the services agreed in each client engagement. We do not sell, license, or share personal data with third parties for marketing purposes. Client data is not used to train Saga's AI models without explicit written consent.

Content generated using the Saga platform — images, videos, copy — belongs to the client upon creation and is not retained beyond the agreed engagement scope.

Third-party AI providers (fal.ai, Topaz, Anthropic) process input data transiently under GDPR-compliant Data Processing Agreements. Input assets are not retained by providers beyond the duration of processing.

For security or privacy enquiries: hello@sagastud.io

Saga Artificial Intelligence Company AB · Org. no. 559539-8875 · Stockholm, Sweden