Security & Compliance

Enterprise-Grade Security & Compliance

SyncRivo is SOC 2 Type II certified and HIPAA-ready. Messages route in real time and are never stored on SyncRivo infrastructure. Every integration uses OAuth 2.0 with per-tenant isolation.

Request Security Documentation Report a Vulnerability

Certifications & Compliance

Independent third-party audits and compliance frameworks that verify our security controls.

SOC 2 Type II

Certified

Audit period: Jan 1 – Dec 31, 2025

AICPA Trust Service Criteria: Security, Availability, Confidentiality

Full report available to customers and prospects under NDA.

SOC 2 Details

HIPAA Ready

BAA Available

Business Associate Agreement on Enterprise plans

Zero data-at-rest, encrypted transit, audit logging, and per-tenant isolation satisfy HIPAA technical safeguards.

Contact sales to sign a BAA before processing PHI.

HIPAA Details

GDPR

Compliant

Data Processing Agreement available

SyncRivo acts as a data processor under GDPR. EU data stays within EU regions on request. Full DPA available.

EU customers can request a signed DPA.

GDPR Details

ISO 27001

Aligned

Controls mapped to ISO/IEC 27001:2022

SyncRivo's ISMS is aligned to ISO 27001 controls covering asset management, access control, cryptography, and incident response.

Formal certification in progress.

ISO 27001 Details

Security Controls

The technical and organizational controls SyncRivo uses to protect your data and integrations.

Encryption everywhere

TLS 1.2+ for all data in transit
AES-256 encryption for data at rest
Message content never persisted on SyncRivo infrastructure (zero data-at-rest)

Authentication & authorization

OAuth 2.0 per integration — scoped, revocable tokens only
JWT lifecycle management with short expiry and rotation
RBAC — role-based access control for every organization
MFA enforced on all SyncRivo employee accounts

Isolation & multi-tenancy

Per-tenant data isolation — no cross-organization data access
Separate encryption keys per tenant
Immutable audit logs for all administrative and routing events

Infrastructure

Hosted on Google Cloud Run (GCP) — SOC 2 Type II certified infrastructure
MongoDB Atlas with encryption at rest and in transit
Automated vulnerability scanning on every deployment
Dependency pinning and SCA (Software Composition Analysis) in CI

Monitoring & incident response

24/7 infrastructure monitoring with automated alerting
Structured audit logging for all API access and authentication events
Documented incident response playbook (reviewed annually)
RTO < 4 hours for critical incidents

Vulnerability management

Responsible disclosure program — security@syncrivo.ai
CVE triage within 24 hours, critical patches within 48 hours
Annual third-party penetration testing
Coordinated disclosure with 90-day embargo for researchers

Zero Message Storage Architecture

SyncRivo is a message router, not a message store. When a message arrives via webhook, SyncRivo transforms it and delivers it to the target platform in real time — the message content is never written to disk on SyncRivo infrastructure.

This architecture satisfies data residency requirements, simplifies GDPR compliance (no content to delete on request), and means a SyncRivo security incident cannot result in a breach of your message content.

What SyncRivo does store: channel mapping configurations, OAuth tokens (encrypted), routing rules, and audit log metadata (no message content). All stored data is encrypted at rest with AES-256.

How Your Messages Flow Through SyncRivo

Every message follows the same in-memory routing path. No content is persisted at any step.

1

Message arrives via webhook

The source platform (e.g., Slack) sends a signed webhook event to SyncRivo's ingestion endpoint over TLS 1.3. SyncRivo verifies the platform signature before processing — unsigned or malformed events are rejected immediately.

2

Identity resolved, no content stored

SyncRivo looks up the routing rule for the source channel and resolves the destination. The message payload is held in memory only — it is never written to disk or logged. Routing metadata (channel IDs, timestamps) is logged without message content.

3

Message transformed in-memory

SyncRivo translates platform-specific formatting — @mentions, thread context, file references — into the target platform's schema. This transformation occurs entirely in memory within the request lifecycle.

4

Delivery to target platform

The transformed message is delivered to the destination platform (e.g., Microsoft Teams) via the platform's official API over TLS. SyncRivo uses short-lived, scoped OAuth 2.0 tokens stored in an encrypted credential vault — not hardcoded secrets.

5

Audit event recorded (no content)

A delivery confirmation event is written to the immutable audit log: timestamp, source channel hash, destination channel hash, delivery status, and latency. Message content is never included in audit records.

Shared Responsibility Model

Security is a partnership. Here's how responsibilities are divided between SyncRivo and the customer.

SyncRivo is responsible for

SOC 2 Type II certification and annual third-party audits
Physical and logical security of cloud infrastructure (GCP)
Encryption of OAuth tokens and routing configuration at rest
Availability and uptime per SLA (99.9–99.99%)
Patching and vulnerability management of the SyncRivo platform
Incident detection, response, and notification to affected customers

Customer is responsible for

OAuth scope selection and token revocation when users leave
Access control to the SyncRivo dashboard (who can create/delete connections)
Compliance obligations specific to your industry (e.g., HIPAA BAA must be signed)
Content appropriateness in channels being bridged
Review of sub-processor list and DPA terms before onboarding
Incident reporting obligations under your applicable regulations

Security FAQs

Common questions from enterprise security and procurement teams.

No. SyncRivo is a real-time message router — message content is processed in memory and delivered to the target platform without being persisted to disk. The only data SyncRivo stores are routing configurations, encrypted OAuth tokens, and audit log metadata (which contains no message content).

SyncRivo runs on Google Cloud Platform (GCP), specifically Cloud Run for compute and MongoDB Atlas for configuration storage. Both GCP and MongoDB Atlas are SOC 2 Type II certified. EU customers can request EU-region data residency for configuration storage.

Each integration uses a separate OAuth 2.0 token scoped to the minimum permissions required. Tokens are stored in an encrypted credential vault (AES-256 at rest, TLS in transit) and are never logged or included in audit events. Customers can revoke tokens at any time from the SyncRivo dashboard or directly from the source platform.

SyncRivo can be used in HIPAA-regulated workflows on Enterprise plans that include a signed Business Associate Agreement (BAA). The zero-message-storage architecture, encryption controls, access logging, and per-tenant isolation satisfy HIPAA Technical Safeguards. Contact sales to sign a BAA before processing PHI.

SyncRivo conducts an independent third-party penetration test annually. The penetration test scope covers the SyncRivo API, authentication flows, multi-tenancy boundaries, and credential storage. A summary of findings and remediation status is available to enterprise customers under NDA.

SyncRivo maintains a documented incident response playbook reviewed annually. In the event of a confirmed security incident affecting customer data, SyncRivo will notify affected customers within 72 hours as required under GDPR Article 33. Enterprise customers receive dedicated incident communication via their account team.

Does SyncRivo store message content?