Trust Center
Security and trust at Saga PM
We build Saga PM with the controls, transparency, and operational discipline expected by enterprise procurement teams — and we publish the details so you can verify them.
Last updated: May 7, 2026
- TLS 1.2+ in transit
- Encrypted at rest
- SSO + MFA available
- Schema-per-tenant isolation
- SOC 2 Type II — in preparation
- GDPR — DPA available
How we protect your data
Six pillars, each backed by concrete implementation rather than aspiration. Click through for the technical detail.
Encryption
TLS 1.2+ for everything in transit. Production data encrypted at rest. Tenant secrets envelope-encrypted with AES-256-GCM and HKDF-SHA256-derived keys. The master key lives in the production secret store — never in code, logs, or the database.
Read more
Authentication
Password + TOTP, WebAuthn / passkeys, and per-tenant OIDC SSO (Okta, Microsoft, Google, anything OIDC). Workspaces can require MFA — enforced server-side, not just in the UI.
Read more
Authorization
Role and team-based RBAC, evaluated at the API layer. A schema-walking lint test fails CI if any mutation is missing a permission check — the boundary is enforced by the build, not just by review.
Read more
Tenant isolation
Each workspace's data lives in its own PostgreSQL schema. Every API request scopes the database connection to that schema before any query runs — there is no cross-tenant SQL.
Read more
Auditability
Tenant settings changes, admin actions, and sensitive operations (secret read/write, OIDC flows) are logged with actor, action, and before/after — queryable per-tenant.
Read more
Operational maturity
Mandatory peer review on every change. CI gates build, test, dependency vulnerability scanning, and migration safety. Production deploys are deliberate (not auto-merged). Continuous monitoring on auth failures, rate limits, error rates, and capacity.
Read more
Compliance roadmap
We are open about where we are. Saga PM is in active preparation for SOC 2 Type II, scoped to Security, Availability, and Confidentiality — the same Trust Services Criteria the project-management category publishes against.
- SOC 2 Type II
- In preparation
- GDPR
- DPA available
- Penetration testing
- Scheduled
Type I attestation first as a procurement artifact, then a 6-month observation window for Type II. Compliance platform and auditor selection underway.
Standard Data Processing Addendum incorporated into our Terms of Service. SCCs included for international transfers.
First independent third-party penetration test scheduled within the SOC 2 prep window. Reports will be made available under NDA on request once issued.
Documentation
Public material is here. Confidential material (SOC 2 report, penetration test results, security questionnaire responses) is available under NDA — request via [email protected].
Subprocessors
The third-party services that process Saga PM data, what they do, and where.
Data Processing Addendum
Standard DPA, GDPR-aligned, applies automatically when you accept our Terms of Service.
Security overview
Detailed walkthrough of our security controls, encryption, isolation model, and SDLC.
Privacy Policy
How we collect and handle personal data on the marketing site and in the application.
Get in touch
Security disclosures
Found something? Email [email protected]. We acknowledge within 2 business days.
Privacy inquiries
Data subject rights, DPA questions, or compliance requests: [email protected].
Subprocessor updates
To be notified before we engage a new subprocessor, subscribe at [email protected].