Security
The controls your procurement team will check, stated plainly.
This page is the fast scan: encryption, tenant isolation, authentication, AI learning policy, deletion, and audit. The long-form trust and data-governance write-up - principles, subprocessor table, procurement Q&A - lives at /trust.
Controls at a glance
Six controls, with current status stated plainly.
Where a control is live, we tie it to the implemented mechanism. Where it is still hardening work, we say that plainly.
Encryption
Encrypted hosted storage, TLS in transit.
Customer documents and extracted data live in hosted database and object storage with provider-managed encryption at rest. Browser, API, and database traffic uses TLS in transit, and customer content stays inside the listed service boundaries.
Tenant Isolation
Row-level security in Postgres, enforced by the database.
Every row carries a tenant identifier. Supabase RLS policies reject queries that miss it. A bug in application code cannot cross tenants because the database refuses the read. Object storage is scoped the same way, with tenant-prefixed bucket paths.
Authentication
WorkOS-capable OIDC / SSO. No customer passwords stored.
The production auth path supports WorkOS OIDC and enterprise SSO providers such as Okta, Azure AD, and Google Workspace. Demo and local walkthroughs can use bearer-token mode, but SynthGL does not store customer passwords.
Zero Training
Your data is never used to train any model, including ours.
Anthropic is configured with zero data retention. SynthGL does not fine-tune on customer content. Cross-tenant learning is limited to anonymized corrections an engagement can opt into; default is off.
Retention
Archive-first today; purge windows are contractual.
The product delete path archives engagements and preserves audit history today. For pilots, purge timing and backup rotation are handled in the agreement and operating runbook; automated hard-delete evidence is a readiness item before broader rollout.
Audit Log
Append-only audit history for key mutations and access paths.
Domain mutations write append-only audit events, and portal/MCP access outcomes write separate access events. Full every-read/every-write coverage is part of the hardening roadmap. Every AI-surfaced number is designed to trace back to the source document, sheet, and cell.
Compliance posture
What we do and do not have today.
Honest posture for a pre-seed company working with boutique firms. We say where we are, not where we hope to be.
SOC 2 Type I / Type II
Planned, not in place today.
SynthGL does not currently hold SOC 2 Type I or Type II. A readiness assessment is on the roadmap and will begin after the first cohort of design partners, ahead of mid-market expansion. We are not publishing a target date because procurement cycles at boutique advisory firms do not require SOC 2 at this stage, and we do not want to commit to a date we cannot credibly meet.
If your firm requires SOC 2 Type II as a gating procurement control today, SynthGL is not the right fit yet. In the interim, every control a SOC 2 auditor would check - access control, change management, backup, monitoring, incident response - is documented and available for review under NDA.
Data Processing Agreement
Available on request.
A standard SaaS DPA can be attached to the Design Partner or Founding Customer agreement. If your counsel prefers to work from your own template, we negotiate from that baseline.
Subprocessors
Five vendors, full table at /trust.
Supabase (database and object storage), Vercel (UI hosting), Fly.io (API hosting), Anthropic (LLM inference, zero retention configured), WorkOS (authentication). We notify customers 30 days before adding or replacing any subprocessor that touches customer data. The canonical table lives on the Trust page.
Business continuity
Export on demand; 90-day continuity clause.
Customer data is exportable at any time in structured form (normalized entities, original documents, audit log). Pilot and Founding Customer agreements include a 90-day continuity clause covering export and assisted migration on termination.
What to do next
Send security and procurement questions to trust@synthgl.com.
A DPA and an architecture diagram are available under NDA before any pilot starts. The Trust & Data Governance page covers the full procurement Q&A; this page is the two-minute version.