Security

Our Approach

Synatsis Systems Inc. builds relationship intelligence software for financial professionals: people who manage high-trust, high-value client relationships. The data our customers entrust to us is among the most sensitive in any professional context. Our security programme is designed around that reality, not around minimum compliance thresholds.

This page describes the technical and organisational controls we maintain. It is intended for security reviewers, CISOs, and procurement teams conducting vendor due diligence. For legal data handling obligations, see our Privacy Policy.

For security enquiries, vulnerability reports, or to request our full security documentation under NDA, contact [email protected].

Compliance and Certifications

• SOC 2 Type II: In progress via Vanta. Automated control monitoring is active across our infrastructure. SOC 2 report available under NDA upon request once issued.
• Philippine Data Privacy Act (RA 10173): Primary governing jurisdiction. Registered with the National Privacy Commission (NPC) as a Personal Information Controller.
• GDPR-equivalent standards: Voluntarily applied for EEA and UK customers. Data Processing Addendum available on request.
• GLBA Safeguards Rule alignment: Controls designed to meet FTC Safeguards Rule (16 CFR Part 314) standards for financial institution customers subject to US law.
• PCI DSS: Payment processing handled exclusively by Stripe (PCI DSS Level 1 certified). No card data is transmitted to or stored on Synatsis infrastructure.

Infrastructure and Data Residency

All production infrastructure runs on Google Cloud Platform in the asia-southeast1 (Singapore) region. Data does not leave this region except as described in our AI architecture section below.

• Database: Supabase-managed PostgreSQL, hosted within our designated GCP region. Logical isolation between customer environments.
• Application layer: Next.js application hosted on Vercel. Edge functions handle routing only; sensitive payloads are not processed at the edge layer.
• Private server infrastructure: Dedicated, air-gapped server environment for sensitive PII processing. Not shared with any other customer or vendor.
• Identity provider: Clerk manages user authentication, session tokens, JWT issuance, and organisation-level seat management. Clerk-issued JWTs are scoped per user and per firm.
• DNS and domain: Managed via Porkbun with DNSSEC enabled.

AI Architecture and Data Flows

Our AI stack is purpose-built to ensure sensitive client data never reaches third-party model providers. All requests are routed through the Sana Orchestrator, Synatsis's proprietary routing and enforcement layer.

• Sensitive PII (client names, net worth indicators, relationship notes): Processed exclusively by a fine-tuned Llama 3-8B model running on our private, dedicated server. Fully within our VPC. No external transmission.
• Synthesis tasks (news, market signals, public data): Anonymised and pseudonymised by the Sana Orchestrator before being passed to Google Gemini Pro via Vertex AI (asia-southeast1). Client identifiers are never included in external model calls.
• Prototyping and internal tooling: Anthropic Claude and Google Antigravity are used for internal development only. Customer data is never submitted to these services.
• Model training: Customer or client data is never used to train, fine-tune, or improve any external AI model. Our on-premises SLM is fine-tuned exclusively on curated synthetic and anonymised datasets.

Encryption

• In transit: TLS 1.2 minimum enforced across all endpoints. TLS 1.3 used where supported by the client.
• At rest: AES-256 encryption for all stored data, including database volumes, backups, and object storage.
• Key management: Encryption keys managed via Google Cloud Key Management Service (Cloud KMS) with automatic rotation.
• Secrets management: Application secrets and API keys are stored in a secrets manager and never committed to source control.

Access Controls

• Least privilege: All staff and system accounts are granted the minimum permissions required to perform their function. Access is reviewed quarterly.
• Multi-factor authentication: MFA is mandatory for all staff accounts with access to production systems, cloud infrastructure, and administrative tooling.
• Role-based access control (RBAC): Production data access is restricted to personnel with a documented operational need. Access logs are retained and reviewed.
• Offboarding: Access is revoked within 24 hours of employee or contractor departure. All credentials are rotated following any access change.
• Row Level Security (RLS): Enforced at the database layer via Supabase RLS policies. Every query is scoped to the authenticated user's JWT subject claim and organisation ID. A compromised session token cannot access data belonging to another user or firm under any circumstances.
• Third-party access: No third party is granted persistent access to production systems. Temporary access, where required, is logged and time-limited.

Vulnerability Management

• Penetration testing: External penetration tests conducted annually. Results and remediation status available to enterprise customers under NDA.
• Dependency scanning: Automated scanning of all dependencies for known CVEs on every build. Critical vulnerabilities are remediated within 48 hours.
• Infrastructure patching: OS and infrastructure patches applied on a rolling basis. Critical patches applied within 24 hours of release.
• Continuous monitoring: Vanta provides continuous automated monitoring of our control environment against SOC 2 criteria, with real-time alerting on control failures.
• DDoS protection: Enterprise-grade DDoS mitigation is active at the infrastructure layer via Vercel and Google Cloud.

Incident Response

We maintain a documented incident response procedure covering detection, containment, eradication, recovery, and post-incident review.

• Detection: Automated alerting on anomalous access patterns, failed authentication attempts, and infrastructure health deviations.
• Breach notification, NPC, Personal data breaches likely to result in risk to data subjects are reported to the National Privacy Commission within 72 hours of discovery, as required by NPC Circular 16-03.
• Breach notification, customers, Affected customers are notified without undue delay following discovery of any breach affecting their data, and within the timeframes required by applicable law.
• Post-incident review: All security incidents are reviewed within 5 business days. Root cause analysis and remediation steps are documented internally and shared with affected enterprise customers on request.

Employee Security

• Security training: All staff complete security awareness training on joining and annually thereafter, covering phishing, credential hygiene, and data handling.
• Background checks: Conducted for all employees and contractors with access to customer data, subject to applicable law.
• Confidentiality agreements: All employees and contractors are bound by confidentiality obligations covering customer data.
• Acceptable use policy: A written acceptable use policy governs permitted use of systems, devices, and data by all personnel.

Business Continuity and Backup

• Automated backups: Database backups run daily and are encrypted at rest. Backups are retained for 30 days and tested quarterly.
• Recovery objectives: Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours. Enterprise SLAs available on request.
• Multi-zone availability: Core infrastructure is deployed across multiple availability zones within the asia-southeast1 region to minimise single-point-of-failure risk.

Inherited Infrastructure Security

Synatsis is built on a stack of best-in-class providers, each of which maintains independent certifications and security programmes. The controls and certifications below are inherited by our platform by virtue of our use of these services. Enterprise customers may request vendor-specific security documentation directly from each provider.

• Cloudflare: All traffic to synatsis.com is proxied through Cloudflare, providing enterprise-grade DDoS mitigation, Web Application Firewall (WAF), bot management, TLS termination, and edge network protection across 300+ global points of presence. Cloudflare holds SOC 2 Type II, ISO 27001, PCI DSS Level 1, and FedRAMP certifications. Cloudflare also manages email link protection and DNS resolution for our domain.
• Vercel: Application hosting and serverless edge functions. Vercel enforces automatic HTTPS on all deployments, OIDC-based deploy pipeline authentication, immutable deployment artifacts, and network-level DDoS mitigation. Vercel is SOC 2 Type II and ISO 27001 certified. No persistent server access to runtime environments is possible; each deployment is isolated and ephemeral.
• Supabase (Google Cloud): Managed PostgreSQL database with automatic TLS on all connections, AES-256 encryption at rest, automated encrypted backups, point-in-time recovery, and network isolation via VPC. Supabase is SOC 2 Type II certified. All Supabase infrastructure for our deployment runs on Google Cloud Platform in the asia-southeast1 (Singapore) region.
• Google Cloud Platform / Vertex AI: Core cloud infrastructure and AI model hosting. GCP holds ISO 27001, SOC 1/2/3 Type II, PCI DSS Level 1, FedRAMP High, and HIPAA BAA certifications. Google data centres operate with 24/7 physical security, biometric access controls, and independent third-party audits. VPC Service Controls enforce data residency boundaries within the asia-southeast1 region.
• Clerk: Identity and authentication provider. Clerk is SOC 2 Type II certified and GDPR compliant. Security features active on our platform include: bot protection on all authentication endpoints, brute-force detection and rate limiting, leaked credential checking against known breach databases, automatic session invalidation on suspicious activity, and cryptographically signed JWTs with short expiry windows.
• Stripe: Payment processing. Stripe is PCI DSS Level 1 certified, the highest tier of payment security certification, and SOC 1/2 Type II audited. Card data is tokenised at the point of entry in the browser and never transmitted to or stored on Synatsis infrastructure. Stripe maintains its own fraud detection, encryption, and network security controls independently of Synatsis.

The certifications held by our providers do not automatically extend to Synatsis's own systems and processes, but they do mean that the infrastructure layer your data runs on is independently audited to the highest commercial standards. Our own SOC 2 Type II audit (in progress via Vanta) covers Synatsis's controls on top of this foundation.

Responsible Disclosure

We welcome reports from security researchers. If you believe you have discovered a vulnerability in Synatsis systems, please contact us at [email protected] with a description of the issue and steps to reproduce it.

We commit to acknowledging all reports within 2 business days, investigating in good faith, and keeping you informed of our remediation progress. We ask that you do not publicly disclose findings until we have had a reasonable opportunity to investigate and remediate.

We do not currently operate a bug bounty programme, but we recognise and appreciate responsible disclosure.

Requesting Security Documentation

Enterprise customers and prospective customers undergoing vendor due diligence may request the following under a mutual NDA:

• SOC 2 Type II report (upon issuance)
• Penetration test executive summary
• GDPR Data Processing Addendum
• GLBA Vendor Due Diligence Questionnaire responses
• Infrastructure architecture overview
• Business Continuity and Disaster Recovery plan summary

We aim to respond to all security documentation requests within 3 business days. Execution of an NDA may be required before certain documents are shared.