Security

At Isyncso, security is foundational — not an afterthought. We protect your data with enterprise-grade practices at every layer of our infrastructure. This page outlines our security posture so you can make informed decisions about trusting us with your data.

1. Encryption

In transit

All data transmitted between your device and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and use HSTS headers to prevent protocol downgrade attacks.

At rest

All data stored in our databases and file storage is encrypted at rest using AES-256 encryption. Database backups are also encrypted. Encryption keys are managed through dedicated key management services and are rotated regularly.

2. Infrastructure

• Our platform runs on Supabase and Vercel, both of which maintain SOC 2 Type II compliance.
• Edge functions execute in isolated environments with no shared state between tenants.
• Database access is restricted through row-level security (RLS) policies, ensuring users can only access their own data.
• All infrastructure is provisioned as code, with changes reviewed and audited.
• We use automated vulnerability scanning on dependencies and container images.

3. Authentication & Access Control

• User passwords are hashed using bcrypt with industry-standard work factors.
• Session tokens are securely generated and stored with appropriate expiration.
• API keys are scoped to specific permissions and can be revoked at any time.
• Internal access to production systems requires multi-factor authentication (MFA) and is limited to essential personnel.
• We follow the principle of least privilege for all internal access.

4. Application Security

• All user inputs are validated and sanitised to prevent injection attacks.
• We implement CSRF protection, Content Security Policy (CSP), and other security headers.
• Dependencies are monitored for known vulnerabilities and updated promptly.
• Code changes go through mandatory peer review before deployment.
• AI model interactions are sandboxed and do not have direct access to raw user data outside of the request context.

5. Data Protection

• Customer data is logically isolated. Multi-tenant architecture uses row-level security to enforce strict tenant boundaries.
• We perform regular automated backups with point-in-time recovery capability.
• Data retention policies ensure data is purged when no longer needed.
• You can export or delete your data at any time through your account settings, in accordance with our Privacy Policy.

6. Incident Response

We maintain a documented incident response plan that includes:

• Detection— automated monitoring and alerting for anomalous activity.
• Containment— immediate isolation of affected systems to prevent spread.
• Investigation— root cause analysis with full audit trail review.
• Notification— affected users and relevant authorities are notified within 72 hours of confirmed breaches, in compliance with GDPR.
• Remediation— corrective actions implemented and documented to prevent recurrence.

7. Compliance

• We comply with the General Data Protection Regulation (GDPR) for EU/UK users.
• Our infrastructure providers maintain SOC 2 Type II and ISO 27001 certifications.
• We are building Sentinel, our EU AI Act compliance engine, to meet emerging AI regulations.

8. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security issue, please report it to us privately:

We ask that you:

• Provide sufficient detail for us to reproduce and address the issue.
• Allow reasonable time for us to investigate and fix before public disclosure.
• Do not access or modify other users' data during your research.

We commit to acknowledging reports within 48 hours and providing updates as we investigate.

9. Contact

For security-related questions or concerns, contact: