Trust

Trust at Saiba — radical transparency on how we operate

We build AI infrastructure that sits close to your business and your data. That posture only earns trust if we explain how it actually works. This page documents what we do, what we don't, and where we still have work to do.

Last updated
2026-05-07
Next review
2026-08-07
Status
Published draft

Compliance status

  • GDPR-compliant

    Data processing aligned with EU GDPR. See our privacy policy and sub-processor list.

    Active

  • ISO 27001 readiness

    Q3-Q4 2026 preparation. Certification target Q1 2027. Quarterly milestones tracked internally; status updates published in each transparency report.

    In progress

  • AI Pact signatory

    Voluntary commitment to the EU AI Act ahead of full enforcement. We track our obligations against the Act's risk tiers and report against them.

    Signed

  • D-mærket (Danish digital responsibility)

    Application in process. We publicly commit to the principles regardless of certification timing.

    In process

  • Operating on certified infrastructure

    Built on ISO 27001 / SOC 2 certified providers: Hetzner (compute), Supabase (data), Vercel (delivery). Sub-processor scope listed below.

    Active

Documents

Public-safe versions of our compliance documents. The canonical, versioned source is SAIBASPACE/saiba-internal (the compliance/ folder). Procurement teams can request the full document set under NDA.

  • Privacy Policy View
  • Sub-processors list View
  • Data Processing Agreement (template) Request
  • Breach Response Runbook (summary) Request
  • AI Ethics Policy Request
  • Supply Chain Manifesto Request
  • Transparency Report — Q2 2026 Request
  • Reference Architecture Request

Public commitments

  • Annual transparency report

    Published every year covering incidents, sub-processor changes, and compliance posture deltas.

  • Public sub-processor list, kept current

    Material changes notified to active customers ahead of activation.

  • 72-hour breach notification

    In line with GDPR Article 33. Customers and supervisory authorities notified within 72 hours of confirmed incident.

  • Vulnerability disclosure program

    Responsible disclosure published at /.well-known/security.txt. Policy at /security-policy.

  • Accessibility

    We target WCAG 2.1 AA. Statement at /accessibility.

Acknowledgments

Researchers who report security issues responsibly will be listed here with their permission. The list is currently empty — be the first.

Contact

  • General compliance: gus@nearweek.com
  • Security: security@saiba.dk (provisioning — use gus@nearweek.com today)