What we promise.
What we won’t do.

Commitments

Eight short statements.

Each is verifiable in product or in code.

1. No. 01

   We never read your message content

   Sonar sees who messaged whom and when — never what was said. Same for PR diffs (we see who reviewed what, not the code itself). The text of any message stays where it was sent.
2. No. 02

   Every employee controls their own data

   From your account page you can pause data collection (takes effect immediately), turn off any one source (Slack, GitHub, or calendar), export a copy of everything we have on you, or request deletion. Deletes get a 30-day grace window, then erase across every system.

   Your data and controls →
3. No. 03

   Org-wide kill-switch

   Any workspace owner can pause Sonar instantly — all processing halts within minutes. Useful during a layoff, an investigation, a regulatory request, or anything else where the right answer is "stop everything now and figure it out."

   Admin dashboard (sign-in required) →
4. No. 04

   We watch ourselves for bias

   Every signal Sonar fires is logged alongside the role and tenure of the person it fired for. If Sonar starts behaving differently for one group versus another, that shows up in a dashboard before it becomes a problem.

   Bias dashboard (sign-in required) →
5. No. 05

   Every brief item shows its evidence

   Every line in your morning brief links back to the actual Slack message, calendar event, or PR that triggered it. No AI claims without a source you can verify in one click.
6. No. 06

   Sonar never recommends firing or PIPs

   If a brief or meeting summary tries to say "fire", "PIP", "terminate", or "underperformer", we reject it before it reaches you. Sonar surfaces patterns. Decisions about people stay with humans and HR.
7. No. 07

   Tamper-proof audit log

   Every admin action — inviting someone, connecting an integration, flipping the kill-switch, exporting data — gets recorded in a log even Sonar staff can't edit or delete.
8. No. 08

   Data ages out automatically

   By default we keep activity for 90 days, signals for one year, and meeting transcripts for 90 days. Each can be tuned per workspace. After the window, data is permanently deleted.

Compliance status

Where we stand right now.

GDPR and CCPA practices are live. SOC 2 audit starts Q3 2026 — we won’t claim the report until it lands.

1. GDPR

   DPA available on request; SCCs Module 2 (controller-to-processor) for EU/UK transfers; right-to-be-forgotten cascade implemented end-to-end.

   Active2026-04-27

2. CCPA

   California residents can request deletion via /me; export bundle satisfies the right-to-know request.

   Active2026-04-27

3. SOC 2 Type I

   SOC 2 Type I audit fieldwork is scheduled for Q3 2026. The auditor name will be published on /trust as soon as one is engaged. Type II observation period begins immediately after Type I lands.

   Planned2026-04-27

4. SOC 2 Type II

   Type II report targets Q3 2027.

   Planned2026-04-27

Security practices

Every control, live today.

Nothing aspirational on this list.

Subprocessors (10)

Every company we send your data to.

Four. That’s the list. Integrations like Slack, GitHub, and Calendar are data sources — Sonar reads from them, nothing flows back. You’ll get 30 days’ notice before any subprocessor is added or removed.

1. No. 01
   Anthropic ↗Region · us

   Claude is the AI model that writes your morning brief. We never send the contents of any message — only the structural facts (who, when, how often). Emails, phone numbers, and risky phrases are stripped before anything reaches the model.

2. No. 02
   Resend ↗Region · us

   Transactional + opt-in email delivery for morning briefs, invitations, and export-ready notifications. Bounces + complaints feed our suppression list.

3. No. 03
   Stripe ↗Region · global

   Billing and subscription management. Your card number goes directly to Stripe — Sonar never sees it, stores it, or has access to it.

4. No. 04
   PostHog ↗Region · us

   Product analytics — event names so we can see which features are used (e.g. "first brief sent", "integration connected"). Never message text. Browser-side capture (URL path, user agent, truncated IP) is gated on the cookie-consent banner.

5. No. 05
   Slack (Slack Technologies) ↗Region · us

   Source data only — Sonar reads metadata about messages + reactions in channels you've connected. Slack does NOT receive any data from Sonar (one-way ingest).

6. No. 06
   GitHub ↗Region · us

   Source data only — Sonar reads metadata about pull requests + reviews + commits in repos you've connected. GitHub does NOT receive any data from Sonar.

7. No. 07
   Google (Calendar) ↗Region · global

   Source data only — Sonar reads meeting metadata (count, duration, attendee emails) from connected Google Workspace calendars. By default we never read meeting titles or descriptions.

8. No. 08
   Vercel ↗Region · us

   Where the Sonar website and app actually run. Server logs are kept seven days and never contain message content.

9. No. 09
   Deepgram ↗Region · us

   Speech-to-text for the meeting bot. Used only when an admin enables the meeting bot and a host invites it to a call. Audio is streamed to Deepgram, transcribed, and discarded after we receive the text.

10. No. 10
    Cloudflare R2 ↗Region · global

    Object storage for short-lived encrypted meeting-bot audio blobs and customer data exports. Buckets are private; only Sonar can read them.