Your Security is Our Priority
Discover how Salesynq keeps your data safe, your account secure, and your business compliant.
Security Highlights
Key features and practices that keep your workspace protected at all times.
- TLS 1.2+ in transit (HSTS preload, 2-year max-age); AES-256-GCM with HMAC-SHA256 for sensitive fields at rest
- Tenant isolation enforced at every repository call by an aspect that rejects cross-tenant queries
- Append-only audit log with periodic chain sealing; 365-day default retention
- CodeQL SAST + OWASP Dependency-Check (CVSS ≥ 7 fails the build) + Gitleaks pre-commit on every change
Compliance Posture
What we are aligned with today, and what we are formally pursuing.
Aligned today:EU GDPR (Reg. (EU) 2016/679), CCPA / CPRA, EU AI Act — Article 50 transparency. See our AI Disclosure, the AI Act limited-risk transparency record and Privacy Policy.
In progress: SOC 2 Type 1 readiness program; Zero-Data-Retention endpoints with our LLM sub-processors.
Planned: Annual third-party penetration test (vendor selection in progress; engagement target before first paying Customer; executive summary available under NDA once delivered).
Not certified: SOC 2, ISO/IEC 27001, HIPAA. We do not claim certifications we have not earned.
Common Security Questions
Quick answers to the most frequent security and compliance questions from our customers.
| Domain | Control Topic | Status |
|---|---|---|
| Access Control | OAuth 2.0 / OIDC SSO with Google and Microsoft; password login disabled by default | Yes |
| Access Control | OIDC SSO carries the Customer’s MFA; native TOTP MFA self-service enrolment in /dashboard/settings/security; configurable hard-enforcement for password sign-in | Yes |
| Access Control | Fine-grained authorization via OpenFGA; tenant-scoped checks at every repository call | Yes |
| Access Control | Idle session timeout (30 min default); JWT-based session tokens | Yes |
| Web Security | TLS 1.2+ with HSTS preload; CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy | Yes |
| Web Security | Redis-backed sliding-window rate limiting (10 req/60s on auth endpoints) | Yes |
| Data Protection | Field-level AES-256-GCM with HMAC-SHA256 (RFC 5116); versioned encryption keys | Yes |
| Data Protection | Backups encrypted (Restic), with weekly automated restore drill | Yes |
| Data Protection | Storage-layer encryption-at-rest (always on); optional OS-level LUKS for sovereign deployments | Yes |
| AI Data Handling | Customer Data is never used to train any AI model | Yes |
| AI Data Handling | PII redaction applied before LLM calls; LLM response cache TTL ≤ 1 hour | Yes |
| AI Data Handling | Opaque per-tenant identifier on the OpenAI `user` field on every call; protocol fails closed in production if tenant context is missing | Yes |
| AI Data Handling | Provider-side "do not use my data for training" toggle applied at production-org level; OpenAI ZDR applied for | Yes |
| Audit & Logging | Append-only audit log with periodic chain sealing; 365-day retention | Yes |
| Audit & Logging | Sensitive request body fields masked in HTTP logs; Sentry PII filtering enabled | Yes |
| Secure Design | CodeQL static analysis on every pull request | Yes |
| Secure Design | OWASP Dependency-Check (fails build at CVSS ≥ 7); Gitleaks secret scanning pre-commit | Yes |
| Privacy | GDPR Article 15–22 data subject request flow with automated retention sweep | Yes |
| Privacy | 72-hour breach notification SLA (GDPR Article 33) | Yes |
| Compliance | EU AI Act — Art. 50 transparency disclosure published | Yes |
| Compliance | EU AI Act limited-risk transparency record; voluntary Annex IV-structured documentation | Yes |
| Compliance | SIG-Lite and CAIQ-Lite questionnaires pre-filled and available under NDA | Yes |
| Compliance | SOC 2 Type 1 attestation | In progress |
| Compliance | Annual third-party penetration test | Planned |
| Compliance | Detailed evidence packets (architecture, control map, sub-processor list, DPA) | By Agreement |
Pre-filled SIG-Lite and CAIQ-Lite questionnaires are available under NDA from security@salesynq.com. Architecture diagrams, the penetration-test executive summary (once delivered), and SOC 2 attestation (once obtained) are released through the same channel.
Need a Security Review Packet?
We support customer security reviews, architecture walkthroughs, and evidence discussions.