Trust & security
Career conversations only work when people trust them. So the guarantees below aren’t promises in a handbook — they are how the system is built. This page is written to be forwarded to your DPO and your works council.
Data residency
All application data is stored in the European Union: the database runs on EU Postgres infrastructure and the application is hosted in Frankfurt, Germany. Data is encrypted in transit (TLS) and at rest (AES-256). Saganom is built and operated from Switzerland.
Access
| Data | Employee | Manager | HR / Admin |
|---|---|---|---|
| Coaching conversations with Leo | Full access, can delete | No access | No access |
| Career map & aspirations | Full access & control | No access | Anonymous themes only |
| Own wallet & learning history | Full access | Funding requests of direct reports | Org-level aggregates |
| Skill levels | Full access & control | No individual levels | Aggregates by function/band, groups <5 suppressed |
“No access” means no product surface, no API, and no report exposes it — the restriction is enforced in code, on every query. Every access to organizational insights is itself logged.
AI processing
Leo — Saganom’s AI career coach — currently runs on Anthropic’s Claude models, accessed via API under a data processing agreement. Our guarantees are provider-independent and hold for any model vendor we use: data is processed under a DPA, is never used to train models, and any change of AI provider is announced through the standard subprocessor-notification process. Leo is architecturally firewalled from performance evaluation: nothing Leo sees or writes feeds appraisals, ratings, or promotion decisions — our EU AI Act posture is a design constraint, not a disclaimer. Employer-facing analytics never query conversation content.
Employee control
Employees choose what gets profiled before anything is stored. Uploaded CVs are parsed and immediately discarded — the file is never kept, and the pasted text is scrubbed after onboarding. Every profile field drafted by Leo requires the employee’s explicit confirmation before it is saved. Employees can delete any coaching conversation at any time — a hard delete, not an archive — and can export their own data from settings.
Accountability
Every movement of money and every access to organizational insight is written to an immutable audit log — who, what, when. Deletions are logged as events (who and when, never the content). The wallet itself is a double-entry ledger that must reconcile to the cent.
The honest part
Saganom is a young company. We do not yet hold SOC 2 or ISO 27001 certifications — formal audits are on our roadmap as we grow. What we offer today is architectural transparency: this page describes the system as it is actually built, our subprocessor list is short (EU hosting and database, our current AI provider, Resend for transactional email), and we’ll gladly walk your DPO through any of it, including a data processing agreement.