Security
Version 2.0 Last Updated: March 8, 2026
Our Commitment to Security
At SynthBoard AI, security is not an afterthought—it's foundational. We implement enterprise-grade security measures to protect your data, ensure platform integrity, and maintain trust. This page outlines our security practices, your responsibilities, and how to report vulnerabilities.
1. Security Architecture
1.1 Infrastructure Security
Cloud Hosting:
- Vercel: Edge-optimized infrastructure with global CDN
- Supabase: PostgreSQL database with row-level security (RLS)
- 99.9% uptime SLA with automatic failover and redundancy
Network Security:
- TLS 1.3 encryption for all data in transit
- HTTPS enforced on all endpoints
- DDoS protection and rate limiting
- Web Application Firewall (WAF) enabled
Data Security:
- AES-256 encryption for data at rest
- Encrypted backups with secure key management
- Isolated database environments (production/staging)
- Regular automated backups (every 6 hours)
1.2 Application Security
Authentication:
- OAuth 2.0 with Google and GitHub
- Secure session management with httpOnly cookies
- JWT tokens with short expiration (1 hour)
- Multi-factor authentication (MFA) support
Authorization:
- Row-level security (RLS) policies in Supabase
- Role-based access control (RBAC)
- Principle of least privilege
- API key rotation and scoping
Input Validation:
- Strict input sanitization and validation
- Protection against SQL injection, XSS, CSRF
- Content Security Policy (CSP) headers
- Rate limiting on all API endpoints
2. Data Protection
2.1 Data Classification
Highly Sensitive:
- Authentication credentials (managed by Supabase Auth)
- Payment information (never stored; handled by Paddle)
- API keys (encrypted at rest)
Sensitive:
- AI session transcripts
- User prompts and outputs
- Email addresses
- Analytics and usage data
Public:
- Public profile information (if opted-in)
- Shared sessions (with explicit user consent)
2.2 Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Active sessions | Until user deletes | Soft delete → hard delete after 30 days |
| Deleted sessions | 30 days (recoverable) | Permanent deletion from all backups |
| Account data | While account is active | Full deletion within 90 days of account closure |
| Logs and analytics | 90 days | Automated purge |
| Backups | 90 days | Encrypted, auto-deleted |
2.3 Data Access Controls
Internal Access:
- No employees have default access to user data
- Access granted only for support tickets (with user consent)
- All access logged and audited
- Background checks for personnel with potential access
Third-Party Access:
- AI providers (Anthropic, OpenAI, Google, Perplexity) process data per their security policies
- Payment processor (Paddle) handles payment data securely
- Subprocessors listed in our Privacy Policy
3. Compliance and Certifications
3.1 Regulatory Compliance
GDPR (General Data Protection Regulation):
- Data processing agreements with all processors
- Privacy by design and default
- Right to access, rectification, erasure, and portability
- Data Protection Impact Assessments (DPIA) conducted
CCPA (California Consumer Privacy Act):
- Transparency in data collection and use
- Right to opt-out (we don't sell data)
- Non-discrimination for exercising privacy rights
3.2 Industry Standards
We follow security best practices including:
- OWASP Top 10: Protection against common web vulnerabilities
- NIST Cybersecurity Framework: Risk management and controls
- SOC 2 Type II: Independent security audit
- ISO 27001: Information security management
4. Security Monitoring
4.1 Threat Detection
Automated Monitoring:
- Continuous security monitoring and alerting
- Anomaly detection for unusual access patterns
- Threat intelligence integration
- Automated incident response workflows
Logging and Auditing:
- Comprehensive audit logs for all critical actions
- Centralized log management with retention
- Regular log analysis and review
- Tamper-proof logging (immutable records)
4.2 Vulnerability Management
Regular Security Testing:
- Automated vulnerability scanning (weekly)
- Dependency scanning for known CVEs
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Periodic penetration testing by third-party firms
Patch Management:
- Critical security patches applied within 24 hours
- High-priority patches within 7 days
- Regular updates to dependencies and libraries
- Zero-day vulnerability response protocol
5. Incident Response
5.1 Incident Response Plan
In the event of a security incident:
Detection (0-1 hour):
- Automated alerts trigger incident response
- Security team notified immediately
- Initial assessment and classification
Containment (1-4 hours):
- Isolate affected systems
- Prevent further damage or data exposure
- Preserve evidence for investigation
Investigation (4-24 hours):
- Root cause analysis
- Determine scope and impact
- Identify affected users
Notification (24-72 hours):
- Notify affected users via email
- Publish incident report (for major incidents)
- Report to regulatory authorities (if required)
Remediation (Ongoing):
- Fix vulnerabilities and weaknesses
- Implement additional controls
- Monitor for recurrence
- Post-incident review and lessons learned
5.2 Data Breach Notification
If a data breach affects your personal information:
- Notification within 72 hours via email
- Details of the breach (what data was affected)
- Steps we're taking to remediate
- Actions you should take (e.g., password reset)
- Contact information for questions
6. Your Security Responsibilities
6.1 Account Security Best Practices
Passwords:
- Use strong, unique passwords (12+ characters)
- Avoid reusing passwords across services
- Consider using a password manager
- Never share your password with anyone
Authentication:
- Enable MFA/2FA when available
- Use secure OAuth providers (Google, GitHub)
- Log out on shared or public devices
- Review active sessions regularly
Awareness:
- Be cautious of phishing emails (we never ask for passwords via email)
- Verify email sender addresses (legitimate emails come from @synthboard.ai)
- Report suspicious activity immediately
- Keep your email account secure (it's your recovery method)
7. Third-Party Security
7.1 AI Provider Security
Our AI providers implement robust security:
Anthropic Claude:
- SOC 2 Type II certified
- GDPR compliant
- Data encrypted in transit and at rest
- anthropic.com/security
OpenAI:
- SOC 2 Type II certified
- Enterprise-grade infrastructure
- Data retention controls
- openai.com/security
Google Gemini:
- Enterprise-grade Google Cloud infrastructure
- GDPR compliant
- ai.google/responsibility
Perplexity:
- Secure API infrastructure
- Privacy-focused processing
- perplexity.ai/security
7.2 Payment Security
Paddle Payment Processing:
- PCI DSS compliant
- We never store credit card numbers
- Paddle acts as Merchant of Record, handling all payment data securely
- Fraud prevention and chargeback management included
8. Security Features
8.1 Current Features
- ✅ OAuth 2.0 authentication (Google, GitHub)
- ✅ Encrypted data transmission (TLS 1.3)
- ✅ Row-level security (RLS) in database
- ✅ Rate limiting on API endpoints
- ✅ Secure session management
- ✅ Audit logging for critical actions
- ✅ Automated backups
- ✅ DDoS protection
8.2 Enterprise Security
- Multi-factor authentication (MFA)
- IP whitelisting for team accounts
- Advanced audit logs (exportable)
- SOC 2 Type II certification
- Session timeout controls
- Single Sign-On (SSO) for enterprise
- End-to-end encryption for sessions (E2EE)
9. Responsible Disclosure
9.1 Report a Vulnerability
We welcome responsible disclosure of security vulnerabilities.
How to Report:
- Email: security@synthboard.ai
- Subject: "Security Vulnerability Report"
- Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested remediation (optional)
- Your contact information
PGP Key (for sensitive reports):
Available at: https://synthboard.ai/pgp-key.txt
Fingerprint: Available upon request via security@synthboard.ai
9.2 Our Commitment
Response Timeline:
- Initial acknowledgment: Within 24 hours
- Preliminary assessment: Within 72 hours
- Status updates: Weekly until resolved
- Resolution: Critical issues within 7 days; others within 30 days
Recognition:
- Public acknowledgment (if desired) in our Security Hall of Fame
- Reward consideration for valid, high-impact vulnerability reports
What We Ask:
- Give us reasonable time to fix issues before public disclosure
- Do not exploit vulnerabilities or access user data
- Do not perform DoS/DDoS attacks
- Act in good faith and comply with applicable laws
10. Security Resources
10.1 Policies and Documentation
10.2 Security Updates
Stay informed:
- Status Page: status.synthboard.ai
- Security Advisories: Published for critical vulnerabilities
- Changelog: synthboard.ai/changelog
10.3 Contact
General Security Questions: security@synthboard.ai Vulnerability Reports: security@synthboard.ai Compliance Inquiries: compliance@synthboard.ai Privacy Requests: privacy@synthboard.ai
11. Security Culture
11.1 Our Principles
Security by Design:
- Security considerations in every feature
- Threat modeling during development
- Security awareness across the team
Transparency:
- Open communication about security practices
- Timely disclosure of incidents
- Public security documentation
Continuous Improvement:
- Periodic security reviews and testing
- Learn from incidents and near-misses
- Adopt emerging best practices
11.2 User Trust
Your trust is our most valuable asset. We are committed to:
- Protecting your data as if it were our own
- Being transparent about our security practices
- Continuously improving our security posture
- Responding quickly to threats and vulnerabilities
12. Certifications
| Certification | Standard |
|---|---|
| SOC 2 Type II | Independent security audit |
| ISO 27001 | Information security management |
| EU-US Data Privacy Framework | Transatlantic data protection |
13. Frequently Asked Questions
Q: Do you encrypt my AI conversations? A: Yes, all data is encrypted in transit (TLS 1.3) and at rest (AES-256). However, AI providers process your prompts to generate responses.
Q: Can SynthBoard employees see my sessions? A: No, by default. Access is only granted for support requests with your explicit consent, and all access is logged.
Q: What happens if there's a data breach? A: We will notify you within 72 hours, explain what happened, and provide remediation steps.
Q: Do you sell my data to third parties? A: Absolutely not. We never sell user data.
Q: How do I delete my data? A: You can delete sessions individually or close your account. Data is permanently deleted within 90 days.
Q: Are you GDPR compliant? A: Yes, we comply with GDPR, including data processing agreements and user rights.
Q: Do you have a bug bounty program? A: We recognize responsible disclosures publicly in our Security Hall of Fame. Contact security@synthboard.ai to report vulnerabilities.
14. Security Hall of Fame
We recognize security researchers who responsibly disclose vulnerabilities:
We will list recognized researchers here as our program grows.
Security is a shared responsibility. Thank you for helping us keep SynthBoard AI safe and secure.
For urgent security matters: security@synthboard.ai