Sauce.ai

Trust & Safety

Security

Last updated: May 2026

Your brand data is the most sensitive thing you hand us. Here is an honest account of the controls we have in place and how to reach us if something looks wrong.

Encryption in transit

All data between your browser and Sauce travels over TLS 1.2 or higher. We enforce HTTPS on every endpoint and reject unencrypted connections.

Encryption at rest

Stored data — brand profiles, campaign content, account information — is encrypted at rest using AES-256.

Account isolation

Brand data and generated content are isolated per workspace. No customer can access another customer's data. AI generation requests include only the data belonging to your account.

Access controls

Internal access to production systems follows the principle of least privilege. Engineers access production data only when necessary for support or incident response, and all such access is logged.

AI data handling

When Sauce sends your brand data to AI processing services to generate content, this is done over encrypted connections under data processing agreements that prohibit use of your data for training models for other customers.

Incident response

We maintain an incident response process. In the event of a confirmed breach affecting your data, we will notify you within 72 hours of discovery with details of what happened and what we are doing to address it.

What we’re still working on

We are a Founders’ Beta product. We believe in transparency, which means being upfront about what we have not yet achieved:

  • We have not yet completed a SOC 2 Type II audit. This is on our roadmap for post-beta.
  • We do not yet have a formal penetration test report from a third-party firm.
  • A full bug bounty programme is not yet in place — but we take all responsible disclosures seriously (see below).

If these gaps are blockers for your organisation, the controls listed above are what we can offer today.

Responsible disclosure

If you discover a security vulnerability in Sauce, please tell us before disclosing it publicly. We commit to:

  • Acknowledge your report within 2 business days.
  • Investigate and provide an initial assessment within 7 days.
  • Work with you on a responsible disclosure timeline.
  • Credit you in our security acknowledgements (if you wish).

To report a vulnerability, contact us through your account workspace with “Security Disclosure” as the subject. Please include a description of the vulnerability, steps to reproduce, and your assessment of severity.

We ask that you do not access, modify, or delete data that does not belong to you during your research, and that you do not disclose the issue publicly until we have had a reasonable opportunity to address it.