How Soramai protects your data and your models.

Customer data stays customer data

Datasets uploaded to Soramai are stored encrypted and used only to run training jobs that you initiate. We do not train shared models on your data, share it across accounts, or hand it to third-party model providers.

Isolated GPU workloads

Every training job runs in a dedicated pod. The pod is provisioned at job start, attached to your private dataset, and torn down when the job ends. No state is shared between customer workloads.

Encryption in transit and at rest

All traffic between your machine, the dashboard, the API, and GPU workers runs over TLS 1.2 or higher. Datasets and model artifacts are stored encrypted at rest in object storage with per-object access control.

Least-privilege access for staff

Soramai staff cannot read customer datasets or artifacts during normal operation. Production access is gated by short-lived credentials, logged, and limited to incident response. Access is reviewed quarterly.

What we store

Account email, hashed password (Firebase Auth), uploaded datasets, trained adapter artifacts, training and inference logs, credit balance, and billing receipts.

What we do not store

We do not store payment card numbers — Stripe is our processor of record. We do not store unencrypted secrets you provide (Hugging Face tokens, deployment API keys); those are encrypted with a customer-scoped key.

Retention

Datasets and artifacts are retained while the account is active. You can delete a dataset or model at any time from the dashboard; deletion is propagated to backups within 30 days. Logs are retained for 90 days for debugging and abuse prevention.

Deletion on account close

When you close an account we delete datasets, models, and logs within 30 days. Billing records are retained for the period required by tax law (typically 7 years).

GPU providers

Soramai runs on top of vetted GPU infrastructure providers. We select providers that publish SOC 2 attestations and offer at-rest encryption. Customer workloads never leave that infrastructure during a job.

Region

Compute and object storage default to US regions. Multi-region storage with read-replica failover is available for enterprise plans.

Authentication

Accounts are protected by Firebase Authentication. Email + password and Google OAuth are supported today. Hardware security key and SSO/SAML support are on the roadmap.

API keys

Deploy and inference API keys are scoped to a single account and can be rotated or revoked from the dashboard. Keys are shown only once at creation.

Vulnerability reports

Email support@soramai.com with technical details, a proof of concept, and your contact info. We acknowledge reports within two business days and work in good faith with researchers acting in good faith.

Scope

In scope: soramai.com, the API at api.soramai.com, and the inference endpoints at *.inf.soramai.com. Out of scope: spam, social engineering of staff, denial-of-service, and findings only reachable with credentials you do not own.

Safe harbor

Research conducted under this policy is authorized and we will not pursue legal action for good-faith testing that respects user privacy, avoids data destruction, and follows responsible disclosure.