Security Statement

Production systems require strong unique passwords and multi-factor authentication. Access is granted on a least-privilege, need-to-know basis and reviewed regularly. Customer authentication uses bcrypt-hashed credentials, signed session tokens, and supports SSO and OAuth.

Data is encrypted in transit using TLS 1.2+ and at rest using AES-256 on managed infrastructure provided by our hosting vendors.

Our applications run on enterprise-grade cloud infrastructure inside US data centers. Vendors are reviewed for their published security posture before being added as subprocessors.

We log authentication, administrative and security-relevant events. Logs are retained for incident investigation and reviewed periodically.

Customer databases are backed up on a regular schedule with point-in-time recovery enabled on supported plans.

If a security incident affects your data we will notify you in accordance with applicable US state breach notification laws and our contractual obligations.

Found a vulnerability? Email security@synthestudio.com. Please give us a reasonable time to remediate before public disclosure. We will not pursue legal action against good-faith researchers who comply with this policy.