Secure Software Development Lifecycle (SDLC)

Effective date: January 1, 2026
Applies to: sayhii software systems used to deliver the Services

1. Purpose

sayhii is committed to building and operating the sayhii Services securely. This customer-facing document summarizes the principles and practices we follow to design, develop, review, test, and release software with security in mind.

This document is intentionally high-level. Internal procedures and tooling may evolve over time without changing the intent of these commitments.

2. Scope

This document applies to the development and maintenance of sayhii software systems, including:

Backend services and APIs
Web applications
Desktop and mobile applications (if applicable)
Analytics and data processing used to deliver the Services

3. Secure Development Principles

sayhii follows these principles when developing software:

Shared responsibility: Security is a responsibility of all contributors.
Risk-based approach: Higher-risk changes receive additional scrutiny and validation.
Least privilege and isolation: Systems are designed to reduce unnecessary access and limit impact of failures.
Defense in depth: We employ multiple layers of controls rather than relying on a single safeguard.
Continuous improvement: We review and improve practices based on learnings and product evolution.

4. Risk Awareness

Certain changes are treated as higher risk and receive increased security-focused attention. Examples include changes involving:

Authentication and authorization
Handling of personal data
Data access boundaries and tenant isolation
Anonymization or aggregation logic
Security-sensitive configuration

Risk considerations are evaluated during design and review based on the potential impact of the change.

5. Secure Design Considerations

When designing or modifying software, sayhii considers security implications as a normal part of design activities, including:

Data exposure and sensitivity
Authentication and authorization boundaries
Tenant isolation and cross-organization access controls
Encryption in transit and at rest
Safe handling of secrets and credentials
Application of anonymization and aggregation rules for reporting

6. Development and Review Practices

sayhii maintains a controlled development workflow intended to promote quality and accountability. As part of this workflow:

Code changes are reviewed prior to release.
Reviews consider functional correctness, maintainability, and security implications.
Access to deploy and modify production systems is restricted to authorized personnel.

For higher-risk changes, additional review or validation steps may be performed.

7. Testing and Validation

Changes are validated prior to production release through a combination of practices appropriate to the change and its risk profile, which may include:

Automated checks (builds, tests, and other validations)
Manual functional verification
Testing in non-production environments prior to production release

8. Release and Deployment Controls

Production releases are performed in a controlled manner:

Releases are executed by authorized personnel.
Deployment activity is logged through engineering systems.
Emergency changes may be deployed to address urgent issues; such changes are reviewed after deployment to confirm correctness and identify improvements.

9. Monitoring and Response

After release, the Services are monitored using operational telemetry and customer feedback channels. Identified issues are investigated and addressed. Where appropriate, mitigations may include reverting changes, restoring prior versions, or disabling affected functionality.

10. Vulnerability Management

sayhii evaluates reported security concerns and identified weaknesses (including third-party dependency issues) for potential impact and remediates them in a timely manner based on severity and risk.

11. Review and Updates

This customer-facing description summarizes relevant internal policies and practices. sayhii’s internal policies are reviewed periodically, and this description is updated as necessary to reflect material changes.

For related practices, see the customer-facing overviews in Incident Response and Data Privacy, Retention, and Destruction.

1. Purpose​

2. Scope​

3. Secure Development Principles​

4. Risk Awareness​

5. Secure Design Considerations​

6. Development and Review Practices​

7. Testing and Validation​

8. Release and Deployment Controls​

9. Monitoring and Response​

10. Vulnerability Management​

11. Review and Updates​