# Security Posture > How SynthBoard handles authentication, data isolation, encryption, model providers, tool-execution governance, vulnerability disclosure, and compliance. The full posture, not the marketing version. **Canonical URL:** https://www.synthboard.ai/docs/security **Markdown source:** https://www.synthboard.ai/docs/security.md **Security disclosures:** security@synthboard.ai ## Authentication - **Email + password** with bcrypt (cost 12). - **Google OAuth** for sign-in. - **Magic links** with single-use tokens. - **MFA via TOTP** (available on Pro+, required on Enterprise). - **Session cookies** are HttpOnly, Secure, SameSite=Lax, with rotating tokens on auth events. For the API: scoped Bearer tokens with environment isolation (`sk_synth_live_*` vs `sk_synth_test_*`). For MCP: OAuth 2.1 with PKCE. ## Data isolation All user-facing tables enforce per-user data isolation at the database layer. Even if application code is compromised, the database refuses to return cross-tenant data. - Session data → tenant-scoped (`user_id` or `workspace_id`). - Integration tokens → encrypted at rest, tenant-scoped. - Audit logs → tenant-scoped, append-only. - Cross-session memory → strictly per-user. We never share data across tenants. Synth evolution that benefits all users is computed on aggregated, anonymized signal only — never on individual session content. ## Encryption - **At rest:** AES-256. - **In transit:** TLS 1.3 (legacy 1.2 supported only for compatibility, no SSL). - **Integration tokens:** double-encrypted (envelope encryption with rotating KEKs). - **Database backups:** encrypted, 30-day retention, tested quarterly. ## Model providers We use OpenAI, Anthropic, and Google as model providers. With each: - **Zero Data Retention** agreements where available (Anthropic, OpenAI Enterprise tier). - **No model training on customer data.** Confirmed contractually with each provider. - **Provider failover:** if one provider is degraded, Synths fall back to alternate models on a different provider so sessions complete. We do not use customer data to fine-tune models, ours or our providers'. Period. ## Tool-execution governance When a session executes an action against an integration (send email, create ticket, post message): - **Per-tool approval pipeline.** Read-only by default, write requires explicit approval per action class. - **Risk tiering.** Operations are tiered low/standard/high. High-risk operations require dual confirmation. - **Provenance.** Every action records who approved, when, what session produced it, what the inputs were. - **Reversibility.** Standard write operations are reversible inside 30 seconds via undo. - **Rate limits.** Per-integration, per-account caps prevent runaway action loops. - **Audit log.** Every action logged. Exportable on Ultra+ tiers. ## Vulnerability disclosure We honor responsible disclosure. Send to security@synthboard.ai. - **Initial response:** within 24 hours. - **Triage and severity assessment:** within 72 hours. - **Fix timeline:** - Critical: within 7 days. - High: within 30 days. - Medium: within 90 days. - Low: next regular release cycle. - **Bounty:** we do not currently run a paid bug bounty. We acknowledge researchers publicly with permission. In scope: - synthboard.ai and all subdomains. - The MCP server, REST API, and webhook handlers. Out of scope (unless they lead to a real security issue): - Self-XSS that requires user paste. - Missing security headers without proven impact. - Rate limiting on non-sensitive endpoints. ## Compliance - **GDPR.** DPA available on request. EU SCCs included. Data residency on enterprise. - **CCPA.** Full subject-access rights workflow. - **SOC 2.** Controls aligned. Type 2 report on request under NDA (in progress). - **HIPAA.** Not currently certified. Do not upload PHI to SynthBoard. ## Backup & disaster recovery - Database backups: every 6 hours, 30-day retention, encrypted, geographically distributed. - Object storage: replicated across regions with versioning. - Disaster-recovery target: RPO 6 hours, RTO 4 hours. - Backup restore tested quarterly. ## Penetration testing - Annual third-party penetration test. - Internal security review before every major release. - Automated dependency scanning (Snyk + GitHub Advanced Security). - Static analysis on every PR. ## Incident response - 24-hour customer-impact incident notification SLA. - Public status page when published: status.synthboard.ai. - Post-incident reports for any P1 or P2 incident. ## What we will not do - We will not sell user data. - We will not silently train models on session content. - We will not auto-execute high-risk actions without explicit approval. - We will not weaken cryptography or auth standards for compatibility. - We will not bypass database-layer access controls for engineering convenience. Privileged access is audited. ## Related - [Privacy policy](https://www.synthboard.ai/legal/privacy) - [Terms of service](https://www.synthboard.ai/legal/terms) - [Security overview (legal)](https://www.synthboard.ai/legal/security) - [Enterprise](https://www.synthboard.ai/enterprise) ## How to cite this page > SynthBoard security posture — https://www.synthboard.ai/docs/security Site: https://www.synthboard.ai