Security Policy

Last Updated: January 2025

Preface

Security is foundational to Synetecs, Inc. ("Synetecs," "the Company," "we," "us," or "our"). We design and operate our systems with security as a core requirement, not an afterthought.

This Security Policy outlines our technical, organizational, and administrative safeguards, compliance posture, and incident response practices for protecting customer data, systems, and services.

1. Security Certifications and Compliance

Synetecs aligns its security program with recognized industry standards and regulatory frameworks.

• SOC 2 Type II: Annual independent audits validate the effectiveness of our security controls
• HIPAA: Business Associate Agreements (BAAs) available for eligible healthcare customers
• GDPR: Data Processing Agreements (DPAs) and Standard Contractual Clauses supported
• ISO/IEC 27001: Information Security Management System implementation in progress

2. Data Security

2.1 Encryption

• At Rest: AES-256 encryption for all stored customer and system data
• In Transit: TLS 1.3 encryption for all network communications
• Key Management: Cryptographic keys managed using Hardware Security Modules (HSMs)

2.2 Access Controls

Access to systems and data is governed by strict identity and access management controls.

• Role-Based Access Control (RBAC) enforcing the principle of least privilege
• Multi-Factor Authentication (MFA) required for all internal and customer accounts
• API key management including rotation, rate limiting, and IP allowlisting
• Comprehensive audit logging of all access and administrative actions

2.3 Network Security

• Network firewalls with segmentation and traffic filtering
• DDoS protection via Cloudflare and AWS Shield
• Intrusion detection and prevention with real-time monitoring and alerting
• Secure VPN access for authorized employee remote access

3. Application Security

Security is integrated throughout the software development lifecycle.

• Secure development practices aligned with OWASP Top 10 recommendations
• Mandatory code reviews and static application security testing (SAST)
• Automated dependency scanning and vulnerability patching
• Annual third-party penetration testing
• Responsible disclosure and bug bounty program for security researchers

4. Infrastructure Security

• Cloud infrastructure hosted on AWS and Google Cloud, both SOC 2 compliant
• Containerized workloads secured using Kubernetes network policies and pod security standards
• Secrets and credentials managed through HashiCorp Vault
• Automated daily backups with a minimum 30-day retention period

5. Employee Security

Employees are a critical part of our security posture.

• Background verification conducted for all employees
• Mandatory annual security awareness and phishing training
• Encrypted laptops and managed devices using Mobile Device Management (MDM)
• Immediate access revocation and credential rotation upon employee offboarding

6. Incident Response

Synetecs maintains a formal incident response program to detect, respond to, and recover from security incidents.

• Detection: 24/7 monitoring, alerting, and anomaly detection
• Containment: Isolation of affected systems within one (1) hour of confirmation
• Investigation: Root cause analysis and forensic investigation
• Remediation: Vulnerability patching and service restoration
• Notification: Customer notification within 72 hours where required by law
• Post-Incident Review: Documentation of lessons learned and process updates

7. Vulnerability Disclosure

Synetecs encourages responsible disclosure of security vulnerabilities.

Security issues may be reported to security@synetecs.io. We commit to acknowledging reports within 24 hours and providing status updates at least every five (5) business days until resolution.

8. On-Premise and Air-Gapped Deployments

For enterprise customers requiring on-premise or air-gapped deployments, Synetecs provides hardened deployment artifacts, security configuration guides, and ongoing security updates.

Customers should contact the Synetecs enterprise team for deployment requirements and support options.

9. Contact Information