Security & Privacy Policy
Where your data lives
Saga operates a cloud-native infrastructure with no on-premise servers. All data is stored exclusively within the European Union on certified infrastructure.
- Google Cloud · EU-West · Belgium · SOC 2 Type II · ISO 27001
- Supabase · Frankfurt · Germany · SOC 2 Type II · ISO 27001
No personal data is transferred outside the EU/EEA without adequate safeguards. Both providers maintain continuous security monitoring, automated patching, and vulnerability scanning as part of their certified operations.
How we protect your data
All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256.
Access to all systems is controlled via role-based access controls and multi-factor authentication. No shared or generic admin accounts are used.
Security-relevant events including authentication, data access, and API calls are logged continuously via Google Cloud Logging and Supabase audit logs.
Infrastructure-level security patches are applied automatically by our providers. Critical application-layer patches are deployed immediately upon identification.
All team devices use full-disk encryption (FileVault), MFA for system access, and current OS versions maintained through automatic updates.
Regulatory frameworks
GDPR — All personal data is processed in accordance with EU GDPR. Saga acts as data controller for model data under Digital Twin agreements. Data subjects retain full rights of access, rectification, and erasure.
EU AI Act (Regulation 2024/1689) — Saga's Digital Twin platform is classified as a High-Risk AI System. We maintain a compliance framework including technical documentation, conformity assessments, and data governance protocols.
ISO 27001 alignment — Saga's internal security program is being developed in alignment with ISO 27001 principles. Our infrastructure providers are independently audited against this standard annually.
Model consent and data handling
Saga maintains direct contractual relationships with all individuals whose likeness is used in Digital Twin systems. All models provide informed consent under agreements that cover compensation, usage restrictions, and withdrawal rights.
Digital Twin assets may not be used to train third-party AI models, create derivative AI systems, or for any purpose not explicitly approved in the relevant campaign licence. If a model withdraws consent, all usage ceases immediately.
Reference images used in Digital Twin production are handled under Saga's EU AI Act compliance framework and stored exclusively on EU-based infrastructure with strict access controls.
What data we collect and why
Saga collects only the data necessary to deliver the services agreed in each client engagement. We do not sell, license, or share personal data with third parties for marketing purposes. Client data is not used to train Saga's AI models without explicit written consent.
Content generated using the Saga platform — images, videos, copy — belongs to the client upon creation and is not retained beyond the agreed engagement scope.
Third-party AI providers (fal.ai, Topaz, Anthropic) process input data transiently under GDPR-compliant Data Processing Agreements. Input assets are not retained by providers beyond the duration of processing.
For security or privacy enquiries: hello@sagastud.io
Saga Artificial Intelligence Company AB · Org. no. 559539-8875 · Stockholm, Sweden