Skip to main content
This page covers everything an enterprise security review will ask about. If your specific question isn’t answered here, email [email protected].

Encryption

LayerMechanism
In transitTLS 1.3 on every SDK connection.
At rest — application dataAES-256 at rest for vector store and graph store.
At rest — credentialsAPI keys are hashed with SHA-256 before storage. Plaintext keys are never persisted on the server side.
BackupsEncrypted with separate keys; backup-restore is audited.
All traffic between SDK and Synap Cloud is verified against pinned certificates. The SDK never falls back to plaintext if TLS negotiation fails.

Isolation model

Synap enforces isolation at three boundaries:
  1. Instance isolation — each Instance has its own logical storage namespace across vector and graph stores. Memories from one Instance are never queryable from another, even by accident, because every query is scoped to an Instance ID resolved server-side from your API key.
  2. Scope isolation — within an Instance, every memory is tagged with USER → CUSTOMER → CLIENT → WORLD scope. A user-scoped retrieval never returns memories from a different user, regardless of similarity. See Memory Scopes.
  3. Network isolation — Synap Cloud is network-isolated per region. Customer data never crosses regions.

Data residency

RegionLocationStatus
US EastVirginiaAvailable
EU WestFrankfurtAvailable
Other regionsOn request — contact [email protected]
You pick the region at Client creation. Memories stay in that region for their entire lifecycle, including backups and replicas. Cross-region replication is not done automatically.

Deletion guarantees

Synap supports per-memory, per-conversation, per-user, per-customer, and per-instance deletion.
  • Soft delete (default) — the memory is removed from retrieval results immediately and purged from active stores within 24 hours. The deletion is logged to the audit trail.
  • Hard delete (on request) — removes the memory from backups as well, within 30 days. Use this for GDPR Right-to-be-Forgotten and CCPA Right-to-Delete requests. Contact [email protected] to initiate.
Deletion cascades through the entity graph: when a user is deleted, any entities exclusively referenced by their memories are also removed. Entities co-referenced by other users (e.g., a shared product entity) are retained.

Compliance posture

FrameworkStatus
SOC 2 Type IIIn progress — target audit completion Q3 2026
GDPRCompliant. DPA available on request from [email protected].
CCPACompliant.
HIPAANot currently certified. Do not send PHI to Synap.
ISO 27001On roadmap (2026).
Synap maintains a vendor security questionnaire (CAIQ + Lite SIG) — request via [email protected].

Sub-processors

Synap maintains a public sub-processor list. See the Synap sub-processor disclosure for the current list.

Audit logs

Every dashboard and SDK action is logged with correlation_id, principal (user / API key), timestamp, action, and resource. Audit logs are retained for 90 days by default and can be exported from the Dashboard (on Enterprise plans).

Reporting a vulnerability

Email [email protected] with reproduction steps. We acknowledge within 24 hours and aim to issue a patch within 7 days for critical vulnerabilities. We do not currently run a public bug bounty but will reward responsibly-disclosed issues.

What we do NOT do

Stated explicitly so there are no surprises in your security review:
  • We do not train models on customer data.
  • We do not share customer data with sub-processors beyond what is listed above.
  • We do not allow Synap engineers to query customer data without a documented support ticket from the customer. All such access is logged.
  • We do not retain deleted memories. Once a hard delete completes, the data is gone — including from backups within the 30-day window.