Defense in Depth

Built Secure by Default.

Enterprise-grade security across every layer — from your desktop to our cloud infrastructure.

AES-256

Encryption at rest

TLS 1.2+

Encryption in transit

100%

RLS coverage

Security at a Glance

15 security controls across authentication, encryption, access control, and data protection — each independently enforced.

Implemented

Authentication (OAuth + JWT)

Implemented

CSRF Prevention (state parameter)

Implemented

Token Encryption (OS Keychain)

Enforced

Encryption in Transit (TLS 1.2+)

Enforced

Encryption at Rest (AES-256)

Enforced

Row Level Security (all tables)

Implemented

Role-Based Access Control

Enforced

Multi-Tenant Data Isolation

Implemented

Webhook Signature Verification

Implemented

PII Stripping Pipeline

Implemented

Sensitive App Exclusion

Enforced

Service Key Isolation

Implemented

Code Signature Verification

Implemented

Audit Logging

Implemented

Automatic Token Cleanup

Authentication

Separate authentication flows for desktop and web, each hardened against common attack vectors.

Desktop App

  • Secure OAuth-based flow with cryptographic state parameter
  • State parameter prevents CSRF attacks
  • Authentication must be initiated from the desktop app
  • Invalid/expired tokens automatically cleared

Web App

  • JWT-based session management
  • Short-lived access tokens, long-lived refresh tokens
  • Automatic token refresh before expiration
  • Email/password and Google OAuth support

Encryption

All data is encrypted both in motion and at rest — no exceptions.

In Transit

  • TLS 1.2+ for all communication
  • WSS for realtime connections
  • API gateway with automatic TLS
  • 30-second timeout protection

At Rest

  • AES-256 cloud database encryption
  • AES-256 cloud storage encryption
  • OS-level disk encryption on desktop
  • Dedicated encryption keys for integration tokens

Data Isolation

Row Level Security is enabled on every database table. PostgreSQL-level enforcement means it cannot be bypassed by API calls or direct connections.

How it works

Your query
Filtered to your user ID
  • Company-scoped tables use company_id isolation
  • User-scoped activity data: even company admins cannot access individual employee desktop activity
  • Optimized STABLE SECURITY DEFINER wrapper functions for performance

Role-Based Access Control

6 permission levels with granular resource.action enforcement — in the UI and at the database level.

Level 100

Super Admin

Full system access

Level 80

Admin

Company-wide management

Level 60

Manager

Team/department management

Level 40

User

Standard feature access

Level 30

Learner

Learning features only

Level 20

Viewer

Read-only access

Permissions follow the resource.action pattern. Enforced both in UI and at database level.

API & Webhook Security

Every inbound webhook is cryptographically verified. Unverified requests are rejected, never processed.

Payment Provider

HMAC-SHA256 verification

Fails with HTTP 500 if secret missing

Integration Hub

HMAC-SHA256 with constant-time comparison

Falls back safely

Communications Provider

HMAC-SHA1 signature validation

Rejects if no match

All webhook handlers fail closed — unverified requests are rejected, never processed.

API Security

  • Service keys restricted to server environments only
  • Secrets stored in encrypted vault
  • Anonymous key provides only RLS-gated access
  • JWT validation on all protected endpoints
  • 30-second fetch timeouts

Infrastructure

Every layer of our infrastructure is independently secured and isolated.

Database

  • VPC isolation
  • AES-256 at rest
  • Automated backups
  • Point-in-time recovery

Edge Functions

  • Sandboxed runtime
  • No filesystem access
  • Secrets in encrypted vault

Web Hosting

  • DDoS protection
  • Automatic HTTPS
  • CDN with edge caching

DNS

  • DDoS mitigation
  • SSL/TLS
  • DNS security

PII Stripping Pipeline

Seven-stage pipeline ensures personal data never reaches our servers. Multiple gates, each independently capable of blocking sensitive content.

Raw text from screen
1

Sensitive App Check

Blocked → Discard
2

Private Window Check

Incognito → Discard
3

Time Window Check

Outside hours → Discard
4

PII Stripping

Emails, cards, SSNs, IPs, phones, tokens

5

Title Truncation

Max 200 characters

6

Text Truncation

Max 5,000 characters

7

Hash Deduplication

Skip identical content

Sanitized, truncated, deduplicated

Audit Trail

Every significant action is logged with full context for compliance and debugging.

CategoryFields Logged
LLM Usage
Model, token counts, estimated cost, source function
Action Execution
Type, success/failure, error messages, duration
Webhook Events
Provider, trigger type, processed status
Authentication
Login events, token refresh, auth failures
Data Sync
Items synced per cycle, success/failure

Responsible Disclosure

We take security reports seriously. If you discover a vulnerability, we want to hear about it.

security@isyncso.com

Response commitment: All reports acknowledged within 48 hours.

Guidelines for Researchers

  • Report vulnerabilities privately — do not disclose publicly
  • Do not access or modify other users' data
  • Provide clear reproduction steps

Questions about our security architecture?

Our team is happy to walk you through it.