Deploy with Confidence
Security & Trust
SAL is infrastructure for teams shipping AI into regulated markets. We treat the security posture of our platform with the same discipline we expect from the agents we classify. This page documents what we do today, what we're working toward, and what we explicitly do not claim.
Last updated: April 21, 2026. This page is living documentation — report inaccuracies to the address below.
Data Handling
SAL stores two categories of data. Registry data (the 9,483 agent specifications, source citations, and classification metadata) is derived from public U.S. and U.N. government sources — BLS O*NET, eCFR, NIST, U.S. Census NAICS, ILO ISCO — and is not personally identifying. User data (account identity, agent submissions for certification, deployed agent configurations) is scoped by row-level security policies to the owning account.
All user data is encrypted at rest via AES-256 on managed Supabase Postgres (AWS us-west-2) and in transit via TLS 1.3 at the Vercel edge. Database backups are encrypted and retained per Supabase's managed service SLA.
Access & Isolation
Postgres row-level security (RLS) is enabled on every table holding user-owned data. Published policies enforce that users can only read and write their own rows; public surfaces (the certified-agents directory, individual badge pages) expose only rows explicitly marked status = 'certified' and not revoked or expired. The certifications schema and its policies are in the repository migration at supabase/migrations/006_certifications.sql.
Privileged database operations (revocations, admin overrides) run via service-role keys that never leave the server environment, and are not available from any user-facing UPDATE or DELETE path.
Sub-processors
SAL relies on the following third-party services to operate. This list is current as of the "last updated" date above; Enterprise tier customers are notified in advance of changes.
Application hosting, edge network, Functions runtime
Data: Application traffic, logs
Managed Postgres, auth, storage
Data: User accounts, certifications, submissions
Unified LLM routing for the certification evaluator
Data: Submitted agent prompts during evaluation
LLM provider behind AI Gateway (Claude Sonnet 4.6)
Data: Certification evaluation inputs (zero data retention per Anthropic ZDR)
Payment processing for paid tiers
Data: Billing events, customer identifiers
Source control, CI
Data: Source code (no customer data)
Compliance Roadmap
SAL is an early-stage company. We are explicit about the difference between what we have today and what we are working toward.
Readiness assessment scoped. Target: Type I bridge letter within two quarters, Type II within four quarters of first paying enterprise customer.
Available for Enterprise tier customers handling PHI in submitted certifications. Scoped to the evaluation pipeline, not to the underlying classification data (which is public).
Standard Data Processing Addendum available on execution of an Enterprise agreement. Standard Contractual Clauses included for EU data transfers.
Evaluating after SOC 2 Type II. No current commitment date.
SAL is not a FedRAMP-authorized service. Classification data derives from public U.S. government sources, but SAL itself operates outside the FedRAMP boundary.
Incident Response & Responsible Disclosure
Report suspected security issues, vulnerabilities, or data incidents to security@standardagentlogic.com. We acknowledge within 48 hours and commit to coordinating disclosure in good faith. Do not publicly disclose vulnerabilities until we have had a reasonable opportunity to remediate.
For confirmed incidents affecting customer data, we will notify impacted Enterprise customers within 72 hours of confirmation, per standard DPA terms.