Storage · AIDataryo
Sign inGet started
Security & Trust

Your files. Your keys. Your audit trail.

Dataryo is the system of record for documents that matter. We treat that responsibility with the boring, paperwork-heavy seriousness it deserves.

SOC 2 TYPE II · AUDITED 2026ISO 27001:2022GDPR COMPLIANTHIPAA BAA AVAILABLECCPA COMPLIANTPEN-TEST Q1 2026 · NCC GROUP
Four pillars

How Dataryo holds the line.

We organize our program around four pillars: data boundaries, identity, observability, and vendor discipline. Every control we ship maps back to one of these.

01 · Data boundaries

Encrypted in transit and at rest

TLS 1.3 on the wire, AES-256-GCM at rest. Per-tenant encryption keys managed in AWS KMS, with customer-managed keys (CMK) on Enterprise.

02 · Data boundaries

Regional residency

Choose US, EU (Frankfurt), or UK (London). Data never leaves the region, including embeddings and AI inference.

03 · Data boundaries

Immutable originals

Uploaded files are write-once. Transformations produce new records; the source is always reachable by hash.

04 · Data boundaries

No training on your data

Contractually. Your files, prompts, and outputs are used to serve your workspace only. This is a term, not a toggle.

05 · Identity

SSO & SCIM

SAML 2.0 with Okta, Azure AD, Google, and OneLogin. SCIM provisioning and de-provisioning on Team and Enterprise.

06 · Identity

Role-based access

Owner, admin, editor, viewer. Folder-level ACLs. Granular controls for Transformations and export.

07 · Observability

Audit log, streamable

Every read, write, prompt, citation, and export — timestamped and exportable. Stream to Splunk, Datadog, or S3.

08 · Observability

Lineage as evidence

Every AI output carries a cryptographic manifest of the source chunks it was grounded in. Reproducible, forever.

09 · Vendor discipline

Sub-processors, minimal

AWS, Cloudflare, Anthropic, OpenAI, Stripe. All on DPAs. Public list maintained at a dedicated URL.

10 · Vendor discipline

Model-provider controls

Zero-retention agreements with all model providers. Enterprise can pin to a single provider or route through a private deployment.

Program

The unglamorous controls under the hood.

We run a continuous compliance program with drift monitoring across AWS, GitHub, Okta, and our code. Every control has an owner and a review cadence.

What we publish

  • SOC 2 Type II report (under NDA, via security@dataryo.com)
  • ISO 27001 certificate (public)
  • Annual pen-test executive summary
  • DPA and list of sub-processors (public)
  • Vulnerability disclosure policy
  • Uptime & incidents at status.dataryo.com

What we don't do

  • Train foundation models on customer data. Ever.
  • Ship features that modify originals in place.
  • Send customer content through a prompt without a citation manifest.
  • Store the things we don't need. Short retention by default.
Responsible disclosure

Find a bug? We want to know.

We run a private bounty with coordinated disclosure. No lawyers, no NDAs for good-faith research. Report to security@dataryo.com.

Email securityRequest SOC 2