Scope
This Security page summarizes SynchrotronAI practices for website operations, professional services, managed services, SaaS products, pilots, cloud infrastructure, integrations, software development, support, and customer environments. Specific commitments may vary by signed agreement, order, architecture, customer cloud environment, product maturity, and support scope.
Security is a shared responsibility. SynchrotronAI is responsible for controls it operates. Customers remain responsible for customer-managed systems, identity providers, devices, administrators, source data, permissions, business processes, and third-party tools they select or control.
Governance and accountability
SynchrotronAI designs security around business workflow risk, cloud architecture, identity, data handling, vendor selection, secure engineering, monitoring, and incident response. Security expectations are considered during project scoping, architecture planning, implementation, deployment, support, and managed services operations.
Security reviews may include data classification, access requirements, cloud environment selection, provider terms, logging needs, backup requirements, integration risk, change management, and support ownership.
Data classification and minimization
SynchrotronAI expects customers to classify data before production use and to avoid sending data that is unnecessary for the workflow. Sensitive, regulated, confidential, or high-risk data should be identified during scoping so access, retention, logging, subprocessors, encryption, and review controls can be selected intentionally.
Cloud infrastructure
SynchrotronAI may use Amazon Web Services, Microsoft Azure, Google Cloud, Cloudflare, and customer-selected cloud environments depending on the product or engagement. Cloud controls may include managed identity, network segmentation, encryption features, storage policies, logging, monitoring, backup services, vulnerability management, and provider-native security controls.
Customer-specific data residency, regional deployment, isolation, tenancy, or cloud-provider requirements should be documented in the applicable order or architecture.
Identity and access
SynchrotronAI applies least-privilege access practices where practical. Access should be limited to personnel, systems, and providers that need access for the engagement. Administrative access should be protected by strong authentication, role-based permissions, access review, secure credential handling, and prompt removal when no longer needed.
Customers are responsible for managing customer-side user accounts, administrators, identity provider configuration, multi-factor authentication, device security, and access requests unless SynchrotronAI is expressly responsible under a managed services scope.
Secrets and credentials
Secrets, API keys, access tokens, certificates, passwords, and production credentials should be stored in approved secret-management systems and rotated when risk changes. Customers should not send secrets through public forms, chat messages, documents, screenshots, tickets, or logs unless a secure exchange method has been approved.
Encryption and data protection
SynchrotronAI uses encryption in transit where appropriate and provider-supported encryption at rest for hosted systems, storage, databases, backups, and logs when available and in scope. Additional controls such as customer-managed keys, regional storage, data masking, redaction, or field-level encryption may require a written scope and architecture.
Sensitive or regulated data should not be submitted through public forms. It should be handled only under an approved engagement with appropriate safeguards.
Secure software development
SynchrotronAI engineering practices may include code review, dependency management, type checking, automated tests, linting, visual regression checks, deployment review, environment separation, secrets handling, and change tracking. The exact controls depend on the repository, product, project, and customer requirements.
Security-sensitive changes should be reviewed for authentication, authorization, input validation, data exposure, error handling, logging, dependency risk, and operational impact.
Environment separation
Where practical, SynchrotronAI separates development, staging, and production environments and uses environment-specific configuration, credentials, and deployment controls. The exact model depends on the product, project, cloud provider, customer environment, and written scope.
Logging and monitoring
SynchrotronAI may collect logs, metrics, traces, deployment metadata, security events, and operational telemetry to maintain reliability, detect abuse, investigate incidents, troubleshoot issues, and support customers. Logs should be protected based on sensitivity and retained according to operational, legal, and contractual needs.
Customers should avoid placing secrets, credentials, unnecessary personal data, or sensitive records in logs, prompts, tickets, forms, filenames, or support messages.
Vulnerability and dependency management
SynchrotronAI monitors and addresses vulnerabilities based on severity, exploitability, exposure, affected systems, customer impact, and operational risk. Remediation may include dependency updates, configuration changes, compensating controls, provider updates, infrastructure changes, or customer instructions.
Customers should promptly apply required patches, configuration changes, permission updates, credential rotations, and mitigation steps for customer-controlled environments.
Incident response
SynchrotronAI will investigate suspected security incidents involving systems it operates. Response may include containment, access restriction, log review, provider coordination, customer notification, remediation, monitoring, and post-incident improvements. Notice obligations for customer data incidents are handled according to the applicable agreement and law.
Customers should promptly report suspected unauthorized access, credential compromise, unusual system behavior, data exposure, or security concerns.
Vulnerability reporting
Security researchers and customers should report suspected vulnerabilities to [email protected] with enough detail to reproduce and assess the issue. Do not access, alter, destroy, exfiltrate, or disclose data that is not yours. Do not perform denial-of-service testing, social engineering, physical attacks, spam, or testing against third-party systems without written authorization.
Backup and recovery
Backup and recovery practices depend on the product, cloud provider, database, file storage, deployment model, and written scope. Recovery point objectives, recovery time objectives, retention, restore testing, disaster recovery, and high-availability requirements should be documented in the applicable agreement when they are business-critical.
Vendor security
SynchrotronAI uses subprocessors and operating providers for security, hosting, payments, CRM, development, deployment, and cloud operations. Vendor selection considers provider purpose, risk, security posture, reliability, data categories, and customer requirements. The core list is available at Subprocessors.
Customer responsibilities
Customers are responsible for lawful data collection, data minimization, user training, administrator access, identity provider configuration, endpoint security, customer system configuration, approvals for third-party integrations, retention decisions, business process controls, and human review of AI-assisted outputs.
Customers should notify SynchrotronAI before submitting sensitive, regulated, high-risk, production, or mission-critical data so the right controls can be scoped.
Limitations
This page is a public security summary and not a certification, audit report, warranty, or complete description of every control. Security commitments for a particular product, service, or managed environment must be documented in the applicable agreement.
Contact
Security questions may be submitted through the workflow review intake or by email at [email protected].