SAGANOM

Trust & security

Private by architecture, not by policy.

Career conversations only work when people trust them. So the guarantees below aren’t promises in a handbook — they are how the system is built. This page is written to be forwarded to your DPO and your works council.

Data residency

Where your data lives

All application data is stored in the European Union: the database runs on EU Postgres infrastructure and the application is hosted in Frankfurt, Germany. Data is encrypted in transit (TLS) and at rest (AES-256). Saganom is built and operated from Switzerland.

Access

Who sees what

DataEmployeeManagerHR / Admin
Coaching conversations with LeoFull access, can deleteNo accessNo access
Career map & aspirationsFull access & controlNo accessAnonymous themes only
Own wallet & learning historyFull accessFunding requests of direct reportsOrg-level aggregates
Skill levelsFull access & controlNo individual levelsAggregates by function/band, groups <5 suppressed

“No access” means no product surface, no API, and no report exposes it — the restriction is enforced in code, on every query. Every access to organizational insights is itself logged.

AI processing

How Leo handles data

Leo — Saganom’s AI career coach — currently runs on Anthropic’s Claude models, accessed via API under a data processing agreement. Our guarantees are provider-independent and hold for any model vendor we use: data is processed under a DPA, is never used to train models, and any change of AI provider is announced through the standard subprocessor-notification process. Leo is architecturally firewalled from performance evaluation: nothing Leo sees or writes feeds appraisals, ratings, or promotion decisions — our EU AI Act posture is a design constraint, not a disclaimer. Employer-facing analytics never query conversation content.

Employee control

Consent first, erasure built in

Employees choose what gets profiled before anything is stored. Uploaded CVs are parsed and immediately discarded — the file is never kept, and the pasted text is scrubbed after onboarding. Every profile field drafted by Leo requires the employee’s explicit confirmation before it is saved. Employees can delete any coaching conversation at any time — a hard delete, not an archive — and can export their own data from settings.

Accountability

Everything leaves a trail

Every movement of money and every access to organizational insight is written to an immutable audit log — who, what, when. Deletions are logged as events (who and when, never the content). The wallet itself is a double-entry ledger that must reconcile to the cent.

The honest part

Where we are on certifications

Saganom is a young company. We do not yet hold SOC 2 or ISO 27001 certifications — formal audits are on our roadmap as we grow. What we offer today is architectural transparency: this page describes the system as it is actually built, our subprocessor list is short (EU hosting and database, our current AI provider, Resend for transactional email), and we’ll gladly walk your DPO through any of it, including a data processing agreement.

Questions your DPO will ask? Ask them now.

Talk to us