Synaura
Get Started →
Trust Center

Synaura Trust Center

Everything you need to evaluate Synaura’s security and compliance posture.

SOC 2 Type I — In Progress GDPR Compliant EU AI Act Ready CAMP Protocol — Apache 2.0

Security

Encryption at rest AES-GCM with per-organization keys, hardware-backed key storage
Encryption in transit TLS 1.3 enforced on all connections, HSTS preloaded
Key management Per-org ML-DSA-65 signing keys, isolated key infrastructure — private keys never stored in D1
Authentication OAuth 2.0, session-based with CSRF protection, read-only scopes by default
Authorization RBAC with three tiers: admin · editor · viewer
Agent signing Every agent action signed with ML-DSA-65 (NIST FIPS 204) — tamper-evident audit trail independently verifiable offline
Infrastructure Cloudflare Workers (edge compute) · D1 (database) · R2 (object storage) · KV (cache) — 300+ global PoPs

Compliance

Certification

SOC 2 Type I

Independent audit of security controls covering availability, confidentiality, and processing integrity.

In Progress — Target Q4 2026
Certification

SOC 2 Type II

Continuous evidence collection over operating period, providing stronger assurance for enterprise customers.

Planned — Target Q2 2027
Standard

ISO 42001

AI management system standard for responsible development, deployment, and monitoring of AI systems.

Planned
Regulation

GDPR

Data processing in US on Cloudflare edge infrastructure. Data Processing Addendum available on request.

Compliant
EU AI Act

Annex III Audit-Ready Evidence Bundles

Synaura generates audit-ready evidence bundles for Annex III high-risk AI system requirements — including signed provenance receipts, CAMP consistency logs, and authorization trails. Every action produces an independently verifiable record requiring no callback to Synaura infrastructure.

Data Practices

Data residency United States — Cloudflare edge network
Data retention Configurable per organization — default 365 days
Data deletion One-click deletion via dashboard or API. A signed deletion receipt is issued and can be verified independently.
Model training Never. Customer data is never used to train or improve AI models — by Synaura or any sub-processor.
Sub-processors Cloudflare — infrastructure & edge compute
Resend — transactional email
Stripe — billing & payment processing

Vulnerability Disclosure

Responsible Disclosure Policy

Report vulnerabilities to security@synaura.ai. We read and respond to every report. We will never take legal action against researchers who follow this policy and act in good faith.

Public disclosure is coordinated on a 90-day timeline from initial report, allowing time for patch development and rollout before details are made public.

48h Initial response
24h Critical patch SLA
90d Coordinated disclosure

Documents

Privacy Policy

How we collect, use, and protect your data

Terms of Service

Usage terms and service agreements

Data Processing Addendum

Request DPA for GDPR compliance

Security Whitepaper

In-depth technical security architecture