Security & Trust
What Steadybase Is Not
Explicit anti-claims — what we don't do, don't have, and don't promise.
What Steadybase Is Not
Transparency is a core value. This page explicitly states what Steadybase does not do, does not have, and does not claim. We believe honest anti-claims build more trust than vague marketing.
Compliance Anti-Claims
:::warning Steadybase is not certified under any compliance framework at this time. :::
| Claim We Do Not Make | Reality |
|---|---|
| "SOC 2 Certified" | We are not SOC 2 certified. We are on a roadmap toward SOC 2 Type II (target: 2027). |
| "HIPAA Compliant" | We do not process PHI and are not HIPAA compliant. Do not use Steadybase for healthcare data. |
| "PCI DSS Compliant" | We do not process payment card data. Do not use Steadybase for payment processing. |
| "ISO 27001 Certified" | We do not hold ISO 27001 certification. |
| "Enterprise-grade security" | We are building toward enterprise-grade security. We are not there yet. |
Product Anti-Claims
| Claim We Do Not Make | Reality |
|---|---|
| "Replaces your sales team" | Steadybase augments human teams. It does not replace AEs, BDRs, or CSMs. |
| "Fully autonomous AI agents" | Workers operate within guardrails. High-stakes actions require human approval. |
| "Real-time CRM sync" | We do not currently sync with Salesforce, HubSpot, or other CRMs in real-time. Data integrations are planned. |
| "Production-ready at scale" | Steadybase is in early-stage deployment. It is not yet proven at enterprise scale. |
| "99.9% uptime SLA" | We do not offer an SLA. Temporal Cloud provides their own SLA for workflow execution. |
Architecture Anti-Claims
| Claim We Do Not Make | Reality |
|---|---|
| "Multi-tenant" | Steadybase is currently single-tenant. Multi-tenant architecture is on the Phase 4 roadmap. |
| "On-premise deployment" | We do not support on-premise deployment. Cloud-only (AWS). |
| "Air-gapped / offline" | Steadybase requires internet connectivity for LLM APIs and Temporal Cloud. |
| "Zero-knowledge encryption" | We do not implement zero-knowledge encryption. Data is readable by the application. |
| "No data leaves your environment" | Data is processed by third-party LLM providers (Anthropic, OpenAI, Google). |
Data Handling Anti-Claims
| Claim We Do Not Make | Reality |
|---|---|
| "Your data is never used for training" | We don't control LLM provider training policies. Check Anthropic, OpenAI, and Google's data policies. We use API access (not consumer), which typically excludes training. |
| "End-to-end encrypted" | Data is encrypted in transit (TLS) and at rest (Temporal Cloud), but is decrypted during processing. |
| "Data residency guarantees" | We run in us-west-2. We do not offer data residency in other regions. |
What We Do Claim
To be clear, here is what we do stand behind:
- We are transparent about our security posture and gaps
- We use Temporal Cloud for durable, fault-tolerant workflow execution
- We implement standard web security controls (TLS, auth, rate limiting, audit logging)
- We are actively improving our security posture with a documented roadmap
- We keep humans in the loop for high-stakes decisions
- We isolate user data at the application level
:::note If you need compliance certifications for your use case, we recommend waiting until our Phase 3 or Phase 4 milestones. We'd rather you wait than adopt prematurely. :::