Last reviewed: 4 June 2026

Security is foundational to Synapses. This Security Policy describes the technical and organisational measures we implement to protect the Synapses platform, your data, and our infrastructure. We treat security as a continuous practice, not a one-time effort.

How does Synapses protect its infrastructure?

The Synapses platform is hosted on enterprise-grade cloud infrastructure with physical security controls including 24/7 surveillance, biometric access controls, and redundant power and network connectivity. We do not operate our own data centres. All network traffic is encrypted in transit using TLS 1.2 or higher, production environments are isolated in private network segments with strict firewall rules, and DDoS protection is active at both the network and application layers. Intrusion detection systems (IDS) monitor for anomalous traffic patterns continuously.

How is data encrypted?

In transit: TLS 1.2+ for all data moving between clients and our servers, and between internal services.
At rest: AES-256 encryption for all stored data, including databases and backups.
Key management: Encryption keys are managed using cloud-native KMS services with automatic rotation.

How does Synapses store cloud credentials?

All cloud credentials are stored in HashiCorp Vault, a dedicated secrets management system. When you connect a cloud provider account (AWS, Azure, OCI, GCP), your credentials and access tokens are encrypted and written exclusively to Vault. Synapses staff do not have routine access to your cloud credentials. Credentials are used exclusively by the Service to fulfil your configuration requests.

How does Synapses secure the application layer?

Security requirements are integrated into the development process from design through deployment. All code changes undergo peer review before merging, and automated static analysis (SAST) plus dependency vulnerability scanning run on every pull request.

How does authentication work?

Multi-factor authentication (MFA) is supported and strongly recommended for all accounts.
Passwords are stored using bcrypt with a high work factor; we never store plaintext passwords.
Session tokens are rotated on authentication and expire after configurable inactivity periods.
Role-based access control (RBAC) limits user and service permissions to the minimum required.
OAuth 2.0 and OIDC are used for third-party cloud provider integrations.

Who has access to production systems?

Access to production systems is granted on a least-privilege, need-to-know basis only. All privileged access requires MFA and is logged and audited. Access rights are reviewed quarterly and revoked immediately upon role change or termination. Background checks are conducted for all employees with access to production systems.

How are security events monitored?

Comprehensive audit logs are maintained for all authentication events, administrative actions, and API calls.
Logs are stored in a tamper-evident, centralised system with 12-month retention.
24/7 security monitoring with automated alerts for suspicious activity.
On-call security personnel respond to high-severity alerts around the clock.

How does Synapses handle vulnerabilities?

Automated vulnerability scans run continuously across our infrastructure and dependencies. Critical vulnerabilities are remediated within 24 hours; high-severity within 7 days. Operating system and software patches are applied on a defined schedule. We conduct annual penetration tests with independent third-party security firms.

How is customer data kept secure and separate?

Customer data is logically isolated. No customer can access another's data.
Data is backed up daily with encrypted off-site replicas. Backups are tested for restorability quarterly.
Customer data is processed only as described in our Privacy Policy and your service agreement.
Data deletion requests are fulfilled within 90 days; backups containing deleted data are purged within 180 days.

What is Synapses' business continuity posture?

The Synapses platform is architected for high availability with multi-zone redundancy.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets are defined per service tier and documented in your service agreement.
Disaster recovery procedures are tested at least annually.

How does Synapses vet third-party vendors?

All third-party vendors with access to customer data are subject to security review before onboarding.
Vendors are required to maintain appropriate security certifications and sign data processing agreements.
We monitor our software supply chain for known vulnerabilities using automated tooling.

How are Synapses employees trained on security?

All employees receive security awareness training upon joining and annually thereafter.
Phishing simulation exercises are conducted periodically.
Engineering staff receive role-specific training on secure coding practices (OWASP Top 10, etc.).

What happens if a security incident occurs?

Synapses maintains a formal Incident Response Plan. In the event of a confirmed security incident affecting customer data, affected customers will be notified within 72 hours of confirmation as required by applicable law. Notification will include the nature of the incident, data affected, steps taken, and recommended actions. A post-incident review will be conducted and a summary made available upon request.

How can security researchers report a vulnerability?

We welcome responsible disclosure from security researchers. If you have discovered a potential vulnerability in the Synapses platform, please contact us:

Email: security@synapses-technology.com
Include a detailed description, steps to reproduce, and potential impact.
Do not access, modify, or delete customer data during your research.
We commit to acknowledging reports within 2 business days and keeping reporters informed of progress.
We will not pursue legal action against researchers acting in good faith under this policy.

What compliance frameworks does Synapses align to?

Synapses is committed to maintaining compliance with applicable data protection and security regulations, including GDPR and the Saudi PDPL. Our security practices are designed to align with industry frameworks including ISO/IEC 27001 and the NIST Cybersecurity Framework.

Changes to This Policy

We may update this Security Policy to reflect changes in our practices or applicable law. We will update the "Last updated" date and, for material changes, notify affected customers by email.

Contact

Security-related questions or reports should be directed to:

Security team: security@synapses-technology.com
General enquiries: contact@synapses-technology.com