Privacy Policy

Sirat Bridge LLC
18429 Veterans Memorial Drive E, Bonney Lake, WA 98392, United States
Mailing: P.O. Box 7024, Bonney Lake, WA 98391
Phone: (323) 209-5682 · Monday – Friday, 8:00 AM – 5:00 PM Pacific Time
Privacy & data requests: compliance@siratbridge.net

Sirat Bridge is a secure multi-tenant SaaS platform for operational organizations. This policy applies to all tenant workspaces and platform surfaces, including customer communications, workflow automation, document management, AI-assisted operations, logistics, and customer operations.

Sirat Bridge LLC ("Platform Provider") supplies the underlying infrastructure, security controls, and processing engine. Each "Tenant Organization" determines what personal data is collected within its workspace, the purposes of processing, and the lawful basis. Under GDPR/UK GDPR terminology, the Tenant Organization is the data controller and Sirat Bridge is the data processor.

• Platform Provider — platform security, encryption, RLS enforcement, audit logging, infrastructure availability, subprocessor management, breach notification to tenants.
• Tenant Organization — lawful basis for collection, customer notices, consent capture, response to customer data subject rights requests, internal access provisioning, configuration of DNC / calling-window / messaging rules.

Every record created on Sirat Bridge is scoped to the organization that created it. Row-Level Security policies enforce isolation at the database layer; no cross-organization read or write is possible through the application or API.

Customer-facing data (names, contact details, operational records, attached documents) remains the property of the Tenant Organization. Sirat Bridge processes this data only to deliver the platform service and never sells, rents, or uses it for advertising or third-party model training.

Phone numbers and email addresses collected for notifications, invitations, and operational alerts are stored securely and scoped to the Tenant Organization. Consent is obtained before sending SMS or email. Recipients may opt out at any time. See our SMS Consent & Communications Policy for full details.

Sirat Bridge may use automated systems and AI-assisted models to summarize records, draft messages, transcribe calls, route workflows, and place outbound voice or SMS communications on behalf of a Tenant Organization. When you interact with a Sirat Bridge-powered conversation:

• You may be communicating with an AI assistant or a recorded automated system; identification is provided at the start of the interaction where required by law.
• Recipients may opt out, request a human handoff, or request transcripts at any time.
• AI processing is performed by vetted subprocessors under data processing agreements; recordings and transcripts are retained per the schedule below.
• AI-generated output is not used as a sole basis for decisions producing legal or similarly significant effects without human review.

Individuals whose personal data is processed through Sirat Bridge may exercise the following rights, subject to applicable law (including GDPR, UK GDPR, CCPA/CPRA, and equivalent regimes):

• Access — request a copy of personal data held about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion where retention is no longer required by law or contract
• Restriction — request that processing be limited pending review
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — at any time, for processing that relies on consent
• Non-discrimination — exercise rights without retaliation or degraded service

Customers should direct requests first to the Tenant Organization that holds their record. Platform-level requests may be submitted to privacy@siratbridge.net or compliance@siratbridge.net. We respond within 30 days.

Retention periods reflect operational need and applicable legal obligations. Defaults below apply unless a Tenant Organization configures a shorter or longer schedule consistent with law:

• Operational records (workflows, shipments, documents): retained for the active life of the tenant plus 90 days after termination.
• Communications metadata (SMS/email send logs): 24 months.
• Voice recordings and AI transcripts: 90 days by default; configurable per tenant.
• Audit logs: 24 months minimum; longer where required by law.
• Authentication logs: 12 months.
• Backups: encrypted, rolling 30-day window; deletion requests are honored on restoration.
• Account closure: tenant data is purged within 30 days of confirmed termination, subject to legal-hold obligations.

Deletion requests are confirmed in writing once executed. Anonymized/aggregated analytics that cannot be re-identified may be retained.

Sirat Bridge maintains a layered governance program covering identity, data, network, telephony, AI, and operations. Controls are designed to align with widely recognized frameworks:

• SOC 2 Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, Privacy (formal attestation targeted post-GA)
• NIST Cybersecurity Framework — Identify, Protect, Detect, Respond, Recover
• CIS Controls v8 — inventory, access control, secure configuration, audit logging, incident response
• MFA required for privileged administrative actions
• Audit logging — append-only, tenant-scoped and platform-scoped
• Least-privilege access — enforced via RBAC and Row-Level Security at the database layer
• Communications — TCPA, CTIA Messaging Principles & Best Practices, carrier 10DLC requirements

Current posture is described in our Security Overview.

Material actions across organizations, users, roles, records, communications, and documents are recorded in an append-only audit log. Tenant administrators can review entries within their organization scope; platform-level entries are visible only to Sirat Bridge platform administrators.

All uploaded files are stored in private object storage with organization-prefixed paths. Access is mediated by short-lived signed URLs. No bucket-level public access is configured.

Responsible disclosures are welcomed. Email security@siratbridge.net with a clear reproduction. We aim to acknowledge security reports within one business day and will not pursue researchers acting in good faith under this policy.

Privacy: privacy@siratbridge.net · Compliance: compliance@siratbridge.net · Security: security@siratbridge.net · Support: support@siratbridge.net

This policy describes the Controlled Early Access Release posture. A general-availability privacy notice will replace this document at public launch. Material changes will be communicated to tenant administrators by email.