Trust and compliance
Enterprise buyers, along with their procurement and security teams, need a clear understanding of how Syncura manages data before moving forward. This page outlines our security posture, compliance status, and data handling practices.
Compliance & certifications
Syncura is designed to meet the compliance requirements of the enterprise clients we serve. Below is a clear summary of our status.
In progress
SOC 2 Type II
Syncura is currently undergoing a SOC 2 Type II audit. This certification validates our security, availability, and confidentiality controls against the AICPA Trust Services Criteria. We expect to complete the audit in 2026. Current security documentation is available on request.
Compliant
GDPR
Syncura is compliant with GDPR. We process personal data only as required to deliver our services, maintain appropriate data processing agreements, and support data subject rights. For customers operating under GDPR, we act as a data processor and can provide a Data Processing Agreement on request.
Compliant
Data residency
Customer data is processed and stored in the region specified at the time of engagement. Data is not transferred across regions without explicit written consent. Residency options are defined and documented as part of each customers agreement.
In place
Encryption
All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256. Encryption keys are managed through industry-standard key management services and rotate regularly.
In place
Access controls
Access to customer data is restricted based on the principle of least privilege. All access is logged and audited. Multi-factor authentication is required for system access. Access rights are reviewed regularly and updated when roles change.
In place
Penetration testing
Syncura conducts annual penetration testing through an independent third-party security firm. Results are reviewed by leadership, and findings are remediated based on risk priority. Summary results are available to enterprise clients on request under NDA.
Data handling
What data we process
Syncura processes the documents and data you provide as part of your use of the platform. This includes document content, associated metadata, and usage data generated during operation. We process only the data required to deliver the contracted service.
How your data is used
Your data is used solely to provide the Syncura service you have contracted for. We do not use client data to train shared models, sell data to third parties, or use it for any purpose outside the scope of your agreement.
Data retention
Data retention periods are always minimized to what is needed to deliver the service. They are defined at the time of engagement and documented in your service agreement. Upon contract termination, all customer data is deleted within 30 days unless a longer retention period is required by law or explicitly requested in writing. For customers that require the strictest data controls, private cloud configurations are available.
Subprocessors
Syncura uses a small number of third-party subprocessors, including cloud infrastructure providers and security tooling. A list of these services is available on request. Customers are notified of any material changes with reasonable advance notice.
Security questions or
If you require more information reach out to us directly.
Download Security & Compliance Overview (PDF) ↓Talk to us firstBook a demo