Besaid

Trust & Security

Auditable by design

In a market where inflated claims and synthetic data are common, being able to put the evidence chain on the table is a feature, not a footnote. This page describes how we handle data today and the compliance path we are on. Where something is planned rather than in place, we say so.

A university building façade — the solidity trust is built on

The line we don't cross

Your world — we never touch

  • Student records
  • Application systems
  • Applicant data

What we sample — public only

  • The brand, site & contact you give us
  • Public AI answers about you

We only sample what public AI engines already say about you — never your students' or applicants' data.

Evidence integrity

Our whole value rests on numbers you can trust, so the evidence is built, first and foremost, so that any tampering would show.

01Capturethe AI's exact answer
02SealSHA-256
03Immutableno quiet rewrites
04Traceableevery metric → its capture

Access & tenancy

Client evidence is confidential and is isolated per tenant. Isolation is enforced where it cannot be bypassed — at the data layer — and is adversarially tested, not assumed.

  • Your evidence is strictly walled off from every other client's — and we actively try to break that wall in testing, so it holds in practice, not just on paper
  • Report download links expire quickly — a forwarded or leaked link simply goes dead instead of leaking your data
  • Role-based access for clients, managers and administrators
  • Least-privilege access to production, with an audit trail

Data handling

We never access your student records, application systems, or applicant data — we only sample what public AI engines say about you. Data in transit is encrypted with TLS, and data at rest is encrypted. We practice data minimization: we collect the brand, website and contact details you give us, plus the AI answers we sample — and little else. Sampling uses clean, terms-compliant channels, not scraped credentials or grey-market proxies.

Compliance roadmap

We are early, and we would rather show the roadmap than imply a certification we do not yet hold. The honest state of each item:

  • In placeTLS · encryption at rest · per-tenant isolation · integrity hashes
  • In progressSOC 2 Type I readiness
  • PlannedSOC 2 Type II · sub-processor register · public trust page
  • On requestDPA · sub-processor list · security questionnaire

Sub-processors & data flow

We rely on a small number of reputable infrastructure and AI providers to run the service. The AI engines we sample are, by design, third parties; we send them prompts, not your confidential data. A current sub-processor list is available under NDA on request.

Data residency & retention

For cross-border audiences, data residency is a real question, not a checkbox. We will state, per engagement, where evidence is stored and how long it is retained, and we honor deletion requests. Raw captures are retained to preserve the audit trail; we can scope or purge them on contract terms.

Responsible disclosure

Found a security issue? Email security@besaid.ai. We respond to every credible report, we will not pursue good-faith researchers, and we credit those who help us improve.