Trust & Security
Auditable by design
In a market where inflated claims and synthetic data are common, being able to put the evidence chain on the table is a feature, not a footnote. This page describes how we handle data today and the compliance path we are on. Where something is planned rather than in place, we say so.

The line we don't cross
Your world — we never touch
- Student records
- Application systems
- Applicant data
What we sample — public only
- The brand, site & contact you give us
- Public AI answers about you
We only sample what public AI engines already say about you — never your students' or applicants' data.
Evidence integrity
Our whole value rests on numbers you can trust, so the evidence is built, first and foremost, so that any tampering would show.
Access & tenancy
Client evidence is confidential and is isolated per tenant. Isolation is enforced where it cannot be bypassed — at the data layer — and is adversarially tested, not assumed.
- Your evidence is strictly walled off from every other client's — and we actively try to break that wall in testing, so it holds in practice, not just on paper
- Report download links expire quickly — a forwarded or leaked link simply goes dead instead of leaking your data
- Role-based access for clients, managers and administrators
- Least-privilege access to production, with an audit trail
Data handling
We never access your student records, application systems, or applicant data — we only sample what public AI engines say about you. Data in transit is encrypted with TLS, and data at rest is encrypted. We practice data minimization: we collect the brand, website and contact details you give us, plus the AI answers we sample — and little else. Sampling uses clean, terms-compliant channels, not scraped credentials or grey-market proxies.
Compliance roadmap
We are early, and we would rather show the roadmap than imply a certification we do not yet hold. The honest state of each item:
- In placeTLS · encryption at rest · per-tenant isolation · integrity hashes
- In progressSOC 2 Type I readiness
- PlannedSOC 2 Type II · sub-processor register · public trust page
- On requestDPA · sub-processor list · security questionnaire
Sub-processors & data flow
We rely on a small number of reputable infrastructure and AI providers to run the service. The AI engines we sample are, by design, third parties; we send them prompts, not your confidential data. A current sub-processor list is available under NDA on request.
Data residency & retention
For cross-border audiences, data residency is a real question, not a checkbox. We will state, per engagement, where evidence is stored and how long it is retained, and we honor deletion requests. Raw captures are retained to preserve the audit trail; we can scope or purge them on contract terms.
Responsible disclosure
Found a security issue? Email security@besaid.ai. We respond to every credible report, we will not pursue good-faith researchers, and we credit those who help us improve.