Early access opens soon — special launch offer.

Security

Encryption, access control, backups, incident response, and responsible disclosure.

Last updated: April 20, 2026

This page describes the technical and organizational measures Syncek SL has in place to protect Customer Data. We are an early-stage company; this page is intentionally honest about what we do today and what is planned. It complements — and does not replace — our Privacy Policy and our Data Processing Addendum (DPA), which together define our contractual commitments under the GDPR.

1. Encryption

  • In transit. All traffic to Syncek uses TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled with a two-year max-age and preload.
  • At rest. Production databases and object storage are encrypted at rest with AES-256 or equivalent, managed by the underlying cloud provider.
  • Sensitive customer data. API credentials, OAuth tokens, and integration secrets that you entrust to Syncek are additionally encrypted at the application layer using a key-management service, so they are never readable in plain text in our database or backups.

2. Access control

  • Role-based access for Syncek personnel with least-privilege defaults. Production access is limited to a small number of named individuals and is revoked on role change or termination.
  • Multi-factor authentication is enforced for every administrative account.
  • All production access is logged and retained with integrity protections; logs are reviewed during incident response.
  • Customer-side authentication uses BetterAuth with hashed passwords (Argon2id) and supports sign-in via Google, Facebook, and GitHub OAuth.

3. Vulnerability management

  • Automated dependency and code scanners run on every change, blocking merges that introduce known vulnerabilities.
  • Security patches are prioritized by severity and shipped out-of-cycle when needed.
  • External penetration testing is planned. A cadence and most-recent test date will be published on this page once the first engagement is complete.

4. Data residency and transfers

Customer Data is stored in the European Union — primary application hosting and backups stay within EU regions. Some sub-processors operate from the United States or globally (Stripe, Resend, Google Analytics on the marketing site only, Cloudflare for CDN/edge); each transfer relies on the EU-US Data Privacy Framework, the EU Standard Contractual Clauses, and supplementary measures. The full list is at our Sub-processors page.

5. Backups and recovery

  • Automated daily backups of production data.
  • Rolling retention of thirty (30) days, then purged.
  • Recovery procedures are documented internally and exercised periodically.

6. Incident response and breach notification

We maintain a written incident-response plan with defined roles and escalation paths. If we confirm a personal-data breach that is likely to result in a high risk to you, we will notify you within forty-eight (48) hours and the AEPD (or other competent supervisory authority) without undue delay and, where feasible, within seventy-two (72) hours, as required by Arts. 33 and 34 GDPR.

7. Network and edge security

Our edge and CDN layer (Cloudflare) provides bot management, rate-limiting, and DDoS mitigation in front of the application. Strict security headers are applied to every response (Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy), and cookie flags include Secure, HttpOnly, and SameSite=Lax by default.

8. Compliance status

Syncek is aligned with the GDPR (Regulation (EU) 2016/679) and the Spanish LOPDGDD (Ley Orgánica 3/2018). We do not currently hold SOC 2, ISO/IEC 27001, or HIPAA certifications, and we do not accept regulated data that would require them (see the Acceptable Use Policy). As the company grows and customer demand justifies the audit cost, we plan to pursue ISO/IEC 27001 first; this page will be updated when that work starts.

9. Responsible disclosure

If you believe you have found a security vulnerability, please email legal@syncek.com with details. We will acknowledge valid reports within three (3) business days and keep you informed until the issue is resolved. Research conducted in good faith under standard responsible-disclosure norms — no disruption of the Service, no access to Customer Data beyond what is necessary to demonstrate the bug, no public disclosure before we fix it — will not result in legal action from us.

10. Contact

Security questions, vulnerability reports, and requests for additional documentation: legal@syncek.com.