Information Security Policy

Synclarion ("we", "us") takes the security of your data seriously. This policy describes how we protect the confidentiality, integrity, and availability of customer data on the platform, and where we are honest about our current limits as an early-stage product. It complements our Privacy Policy and Terms of Service.

1. Data we protect

The platform handles transaction data (parties, deadlines, notes, documents), contact and CRM records, Claire conversations, OAuth tokens for integrations (Google, DocuSign, etc.), and the usage telemetry needed to keep the product running. All of it is treated as confidential and remains owned by you.

2. Encryption

All connections to Synclarion are TLS 1.2 or higher — the entire site, every API endpoint, every page. Data at rest is encrypted by Supabase using AES-256, including database backups. Passwords are never stored in plaintext; authentication is delegated to Supabase Auth, which uses bcrypt and supports multi-factor authentication.

3. Access controls and data isolation

Per-agent data isolation is enforced at the database layer using Postgres Row-Level Security. Every row in every table is scoped to its owner, and the policies are applied automatically — no API endpoint can return another agent's data, regardless of how the query is constructed. Internal access to production systems is limited to authorized personnel on a need-to-know basis and is logged.

OAuth tokens for connected services (Google, DocuSign, others) are stored as JSONB in a row-level-security-protected table keyed to your user account. Disconnecting an integration revokes the stored token immediately.

4. Third-party integrations

When you connect a third-party service, Synclarion uses OAuth 2.0 / OpenID Connect with the narrowest scopes required to deliver the feature. We don't request broader permissions than we need.

The third parties involved in the product are listed in the Privacy Policy under "Third-party services." Each one is evaluated for its security posture before integration; you'll be notified of material changes to the list.

5. Incident response

We monitor application and infrastructure logs for security events. If we confirm an incident affecting your data, we'll notify you without undue delay — and within the timeframes required by applicable law (e.g. 72 hours for GDPR-applicable incidents). We document every incident and review the root cause to prevent recurrence.

6. Vulnerability management

We follow secure development practices: code review before production, dependency monitoring (npm audit, Dependabot), regular updates of platform dependencies, and reliance on established frameworks (Next.js, TypeScript, Supabase, shadcn/ui) rather than custom security primitives.

7. Backups and continuity

Customer data is backed up daily by Supabase to encrypted, geographically redundant storage. In the event of a major service disruption our recovery time objective is 24 hours and recovery point objective is 24 hours. We target 99.9% service availability and monitor uptime continuously.

8. Data retention and deletion

We retain account data for the lifetime of your subscription. On cancellation we retain it for 30 days in case you reactivate, then delete it. Backup retention is 30 days and follows the same deletion timeline. You can request earlier deletion at any time. Full retention details are in the Privacy Policy under "Data retention."

9. Where we're honest about our limits

Synclarion is in private beta. We do not have a SOC 2 audit yet; that is on the roadmap and will be completed before we serve enterprise customers. We do not yet offer custom data residency, signed BAAs, or contractual SLAs — those are roadmap items as well. If your organization needs any of these today, talk to us about timing.

10. Your role

You are responsible for safeguarding your account credentials, reviewing the permissions you grant to integrated services, notifying us of suspected unauthorized access, and complying with applicable laws when using Synclarion to process data about your own clients (including real-estate licensing rules and fair-housing laws).

11. Changes

We may update this policy as the product evolves. Material changes will be announced in-app and / or by email at least 30 days before they take effect.

12. Contact

Security questions, concerns, or incident reports: security@synclarion.ai