# Security **Version 2.0** **Last Updated: March 8, 2026** ## Our Commitment to Security At SynthBoard AI, security is not an afterthought—it's foundational. We implement enterprise-grade security measures to protect your data, ensure platform integrity, and maintain trust. This page outlines our security practices, your responsibilities, and how to report vulnerabilities. --- ## 1. Security Architecture ### 1.1 Infrastructure Security **Cloud Hosting:** - **Vercel**: Edge-optimized infrastructure with global CDN - **Supabase**: PostgreSQL database with row-level security (RLS) - **99.9% uptime SLA** with automatic failover and redundancy **Network Security:** - TLS 1.3 encryption for all data in transit - HTTPS enforced on all endpoints - DDoS protection and rate limiting - Web Application Firewall (WAF) enabled **Data Security:** - AES-256 encryption for data at rest - Encrypted backups with secure key management - Isolated database environments (production/staging) - Regular automated backups (every 6 hours) ### 1.2 Application Security **Authentication:** - OAuth 2.0 with Google and GitHub - Secure session management with httpOnly cookies - JWT tokens with short expiration (1 hour) - Multi-factor authentication (MFA) support **Authorization:** - Row-level security (RLS) policies in Supabase - Role-based access control (RBAC) - Principle of least privilege - API key rotation and scoping **Input Validation:** - Strict input sanitization and validation - Protection against SQL injection, XSS, CSRF - Content Security Policy (CSP) headers - Rate limiting on all API endpoints --- ## 2. Data Protection ### 2.1 Data Classification **Highly Sensitive:** - Authentication credentials (managed by Supabase Auth) - Payment information (never stored; handled by Paddle) - API keys (encrypted at rest) **Sensitive:** - AI session transcripts - User prompts and outputs - Email addresses - Analytics and usage data **Public:** - Public profile information (if opted-in) - Shared sessions (with explicit user consent) ### 2.2 Data Retention | Data Type | Retention Period | Deletion Method | |-----------|------------------|----------------| | Active sessions | Until user deletes | Soft delete → hard delete after 30 days | | Deleted sessions | 30 days (recoverable) | Permanent deletion from all backups | | Account data | While account is active | Full deletion within 90 days of account closure | | Logs and analytics | 90 days | Automated purge | | Backups | 90 days | Encrypted, auto-deleted | ### 2.3 Data Access Controls **Internal Access:** - No employees have default access to user data - Access granted only for support tickets (with user consent) - All access logged and audited - Background checks for personnel with potential access **Third-Party Access:** - AI providers (Anthropic, OpenAI, Google, Perplexity) process data per their security policies - Payment processor (Paddle) handles payment data securely - Subprocessors listed in our Privacy Policy --- ## 3. Compliance and Certifications ### 3.1 Regulatory Compliance **GDPR (General Data Protection Regulation):** - Data processing agreements with all processors - Privacy by design and default - Right to access, rectification, erasure, and portability - Data Protection Impact Assessments (DPIA) conducted **CCPA (California Consumer Privacy Act):** - Transparency in data collection and use - Right to opt-out (we don't sell data) - Non-discrimination for exercising privacy rights ### 3.2 Industry Standards We follow security best practices including: - **OWASP Top 10**: Protection against common web vulnerabilities - **NIST Cybersecurity Framework**: Risk management and controls - **SOC 2 Type II**: Independent security audit - **ISO 27001**: Information security management --- ## 4. Security Monitoring ### 4.1 Threat Detection **Automated Monitoring:** - Continuous security monitoring and alerting - Anomaly detection for unusual access patterns - Threat intelligence integration - Automated incident response workflows **Logging and Auditing:** - Comprehensive audit logs for all critical actions - Centralized log management with retention - Regular log analysis and review - Tamper-proof logging (immutable records) ### 4.2 Vulnerability Management **Regular Security Testing:** - Automated vulnerability scanning (weekly) - Dependency scanning for known CVEs - Static Application Security Testing (SAST) - Dynamic Application Security Testing (DAST) - Periodic penetration testing by third-party firms **Patch Management:** - Critical security patches applied within 24 hours - High-priority patches within 7 days - Regular updates to dependencies and libraries - Zero-day vulnerability response protocol --- ## 5. Incident Response ### 5.1 Incident Response Plan In the event of a security incident: **Detection (0-1 hour):** - Automated alerts trigger incident response - Security team notified immediately - Initial assessment and classification **Containment (1-4 hours):** - Isolate affected systems - Prevent further damage or data exposure - Preserve evidence for investigation **Investigation (4-24 hours):** - Root cause analysis - Determine scope and impact - Identify affected users **Notification (24-72 hours):** - Notify affected users via email - Publish incident report (for major incidents) - Report to regulatory authorities (if required) **Remediation (Ongoing):** - Fix vulnerabilities and weaknesses - Implement additional controls - Monitor for recurrence - Post-incident review and lessons learned ### 5.2 Data Breach Notification If a data breach affects your personal information: - **Notification within 72 hours** via email - Details of the breach (what data was affected) - Steps we're taking to remediate - Actions you should take (e.g., password reset) - Contact information for questions --- ## 6. Your Security Responsibilities ### 6.1 Account Security Best Practices **Passwords:** - Use strong, unique passwords (12+ characters) - Avoid reusing passwords across services - Consider using a password manager - Never share your password with anyone **Authentication:** - Enable MFA/2FA when available - Use secure OAuth providers (Google, GitHub) - Log out on shared or public devices - Review active sessions regularly **Awareness:** - Be cautious of phishing emails (we never ask for passwords via email) - Verify email sender addresses (legitimate emails come from @synthboard.ai) - Report suspicious activity immediately - Keep your email account secure (it's your recovery method) --- ## 7. Third-Party Security ### 7.1 AI Provider Security Our AI providers implement robust security: **Anthropic Claude:** - SOC 2 Type II certified - GDPR compliant - Data encrypted in transit and at rest - [anthropic.com/security](https://www.anthropic.com/security) **OpenAI:** - SOC 2 Type II certified - Enterprise-grade infrastructure - Data retention controls - [openai.com/security](https://openai.com/security) **Google Gemini:** - Enterprise-grade Google Cloud infrastructure - GDPR compliant - [ai.google/responsibility](https://ai.google/responsibility/) **Perplexity:** - Secure API infrastructure - Privacy-focused processing - [perplexity.ai/security](https://www.perplexity.ai/security) ### 7.2 Payment Security **Paddle Payment Processing:** - PCI DSS compliant - We never store credit card numbers - Paddle acts as Merchant of Record, handling all payment data securely - Fraud prevention and chargeback management included --- ## 8. Security Features ### 8.1 Current Features - ✅ OAuth 2.0 authentication (Google, GitHub) - ✅ Encrypted data transmission (TLS 1.3) - ✅ Row-level security (RLS) in database - ✅ Rate limiting on API endpoints - ✅ Secure session management - ✅ Audit logging for critical actions - ✅ Automated backups - ✅ DDoS protection ### 8.2 Enterprise Security - Multi-factor authentication (MFA) - IP whitelisting for team accounts - Advanced audit logs (exportable) - SOC 2 Type II certification - Session timeout controls - Single Sign-On (SSO) for enterprise - End-to-end encryption for sessions (E2EE) --- ## 9. Responsible Disclosure ### 9.1 Report a Vulnerability We welcome responsible disclosure of security vulnerabilities. **How to Report:** - **Email:** security@synthboard.ai - **Subject:** "Security Vulnerability Report" - **Include:** - Detailed description of the vulnerability - Steps to reproduce - Potential impact - Suggested remediation (optional) - Your contact information **PGP Key (for sensitive reports):** ``` Available at: https://synthboard.ai/pgp-key.txt Fingerprint: Available upon request via security@synthboard.ai ``` ### 9.2 Our Commitment **Response Timeline:** - **Initial acknowledgment:** Within 24 hours - **Preliminary assessment:** Within 72 hours - **Status updates:** Weekly until resolved - **Resolution:** Critical issues within 7 days; others within 30 days **Recognition:** - Public acknowledgment (if desired) in our Security Hall of Fame - Reward consideration for valid, high-impact vulnerability reports **What We Ask:** - Give us reasonable time to fix issues before public disclosure - Do not exploit vulnerabilities or access user data - Do not perform DoS/DDoS attacks - Act in good faith and comply with applicable laws --- ## 10. Security Resources ### 10.1 Policies and Documentation - [Privacy Policy](https://synthboard.ai/legal/privacy) - [Terms of Service](https://synthboard.ai/legal/terms) - [Data Processing Agreement](https://synthboard.ai/legal/dpa) (Enterprise) - [Subprocessor List](https://synthboard.ai/legal/subprocessors) ### 10.2 Security Updates Stay informed: - **Status Page:** [status.synthboard.ai](https://status.synthboard.ai) - **Security Advisories:** Published for critical vulnerabilities - **Changelog:** [synthboard.ai/changelog](https://synthboard.ai/changelog) ### 10.3 Contact **General Security Questions:** security@synthboard.ai **Vulnerability Reports:** security@synthboard.ai **Compliance Inquiries:** compliance@synthboard.ai **Privacy Requests:** privacy@synthboard.ai --- ## 11. Security Culture ### 11.1 Our Principles **Security by Design:** - Security considerations in every feature - Threat modeling during development - Security awareness across the team **Transparency:** - Open communication about security practices - Timely disclosure of incidents - Public security documentation **Continuous Improvement:** - Periodic security reviews and testing - Learn from incidents and near-misses - Adopt emerging best practices ### 11.2 User Trust Your trust is our most valuable asset. We are committed to: - Protecting your data as if it were our own - Being transparent about our security practices - Continuously improving our security posture - Responding quickly to threats and vulnerabilities --- ## 12. Certifications | Certification | Standard | |-----------|-------------| | SOC 2 Type II | Independent security audit | | ISO 27001 | Information security management | | EU-US Data Privacy Framework | Transatlantic data protection | --- ## 13. Frequently Asked Questions **Q: Do you encrypt my AI conversations?** A: Yes, all data is encrypted in transit (TLS 1.3) and at rest (AES-256). However, AI providers process your prompts to generate responses. **Q: Can SynthBoard employees see my sessions?** A: No, by default. Access is only granted for support requests with your explicit consent, and all access is logged. **Q: What happens if there's a data breach?** A: We will notify you within 72 hours, explain what happened, and provide remediation steps. **Q: Do you sell my data to third parties?** A: Absolutely not. We never sell user data. **Q: How do I delete my data?** A: You can delete sessions individually or close your account. Data is permanently deleted within 90 days. **Q: Are you GDPR compliant?** A: Yes, we comply with GDPR, including data processing agreements and user rights. **Q: Do you have a bug bounty program?** A: We recognize responsible disclosures publicly in our Security Hall of Fame. Contact security@synthboard.ai to report vulnerabilities. --- ## 14. Security Hall of Fame We recognize security researchers who responsibly disclose vulnerabilities: We will list recognized researchers here as our program grows. --- **Security is a shared responsibility. Thank you for helping us keep SynthBoard AI safe and secure.** For urgent security matters: **security@synthboard.ai**