Everything your security team needs — in one place.

Request the SOC 2 Type II report via this page or directly from your account team. The report is sent under a mutual NDA, with typical turnaround under one business day for prospects in active evaluation and same-day for existing Enterprise customers. The report covers the AICPA Trust Service Criteria for Security, Availability, and Confidentiality, and is issued by an independent third-party auditing firm. The audit period is rolling 12 months and the report is refreshed annually with no observation gaps. SyncRivo also provides the corresponding SOC 2 bridge letter on request to cover any time period between the latest report issuance date and your current vendor-review date — this is the document procurement and security teams typically need to satisfy continuous-monitoring requirements during a renewal cycle. SyncRivo also publishes a public-facing summary of the audit scope, control families assessed, and the auditor identity on the Trust Center for vendors who need that level of confirmation before signing an NDA.

No. SyncRivo is a real-time message router, not a message archive. Message content is processed in memory during a single request lifecycle — typically under 100 milliseconds end-to-end — and is never written to disk, never included in application logs, and never persisted to any database. Only three categories of data are stored: routing configuration (which channels are bridged to which), encrypted OAuth tokens (in an AES-256 credential vault), and content-free audit metadata (sender identity, source channel, destination channel, timestamp, policy outcome). This zero-data-at-rest architecture is the foundation of SyncRivo's HIPAA, GDPR, and SOC 2 posture: there is no message content to subpoena, breach, or accidentally retain longer than your platform's own retention policy permits. Customer data subject access requests, eDiscovery requests, and litigation holds are therefore handled at the source platform (Slack, Teams, Google Chat, Zoom, or Webex) where the message is actually retained, not at SyncRivo, which simplifies legal and compliance workflows for enterprise customers.

Yes. A pre-reviewed Business Associate Agreement (BAA) is available on Enterprise plans for customers handling Protected Health Information (PHI), and the BAA must be executed before any PHI is processed through SyncRivo. Our zero data-at-rest architecture, AES-256 encryption controls, per-tenant isolation with separate encryption keys, and immutable audit logging satisfy the HIPAA Security Rule Technical Safeguards (Access Control, Audit Controls, Integrity, Person or Entity Authentication, and Transmission Security). SyncRivo also commits to the HIPAA Breach Notification Rule timelines. Healthcare customers typically deploy SyncRivo to bridge clinical Slack or Teams channels with administrative platforms while keeping PHI inside their existing EHR/EMR boundary — SyncRivo carries only the messaging payload that the customer's own DLP policies have already cleared for cross-channel routing. The BAA process typically takes 5 to 10 business days for legal review and signature; SyncRivo can also accept customer-paper BAAs with reasonable redlines, though pre-reviewed standard agreement is faster.

Yes. SyncRivo acts as a data processor under GDPR Article 28, and a Data Processing Agreement (DPA) incorporating the EU Standard Contractual Clauses (SCCs) is available to all customers — not gated to Enterprise plans. EU customers can elect EU-region routing so message transit stays within EU borders, and the configuration database for EU tenants is hosted in an EU MongoDB Atlas region. Our zero data-at-rest posture minimizes personal-data exposure by design: there is no message content stored that would be subject to a Data Subject Access Request beyond the content-free audit metadata. Data subject rights (access, rectification, erasure, portability) are supported through the Data Protection Officer contact. SyncRivo also complies with the UK GDPR and the Swiss FADP under equivalent terms, and the Data Protection Officer (dpo@syncrivo.ai) responds to data subject requests within the 30-day window required by GDPR Article 12, with extension only where strictly necessary under Article 12(3).

SyncRivo runs on Google Cloud Platform (Cloud Run for stateless compute and MongoDB Atlas for configuration storage). Both are SOC 2 Type II certified, both are HIPAA-eligible under their respective BAAs, and both are GDPR-compliant with EU data-residency options. The full sub-processor list — including purpose, geographic location, data categories accessed, and last review date — is published at https://syncrivo.ai/en/sub-processors and updated whenever a sub-processor is added, changed, or removed. Material sub-processor changes trigger 30-day advance notice to Enterprise customers, who may object before the change takes effect. SyncRivo does not use any sub-processor in a country without a recognized adequacy decision from the European Commission, and the sub-processor footprint is intentionally minimal to reduce compliance review surface area. Each sub-processor is contractually bound to the same data-protection obligations SyncRivo carries to its customers, and SyncRivo retains the right to terminate any sub-processor relationship that fails an internal security or compliance review.

Each integration uses an OAuth 2.0 access token scoped to the minimum permissions required for that specific bridge — for example, a Slack-to-Teams bridge requests Slack channels:history and chat:write but does not request access to direct messages, files outside bridged channels, or workspace-admin scopes. Tokens are stored in an encrypted credential vault (AES-256 at rest, TLS 1.3 in transit), never written to application logs, never echoed in API responses, and never sent to any sub-processor outside the routing path. Tokens can be revoked at any time from the SyncRivo dashboard or directly from the source platform's app management screen, which immediately disables the bridge. Refresh tokens are rotated automatically and short-lived access tokens follow each platform's native expiry window. Token usage is logged in the SyncRivo audit trail (timestamp, integration, scope used) so customer security teams can verify exactly which scopes are being exercised against the source platform without needing access to the platform's own admin console.

SyncRivo enforces per-tenant data isolation at every layer with separate encryption keys derived per tenant from a customer-specific key encryption key (KEK). There is no cross-organization data path in either configuration storage or the message routing pipeline: a SyncRivo customer cannot see, query, or accidentally receive routing data from another customer through any documented or undocumented API surface. Audit logs are partitioned per tenant and cannot be queried across tenants. Tenant isolation boundaries are part of the annual third-party penetration test scope, with explicit test cases for cross-tenant access attempts. Enterprise customers can additionally request a dedicated routing infrastructure tier, which provisions tenant-isolated compute resources beyond the logical isolation that all tenants receive by default. The dedicated tier is typically chosen by customers in highly regulated sectors (healthcare, financial services, government contractors) where compliance auditors require physical or VPC-level isolation in addition to the logical boundaries that satisfy SOC 2 multi-tenancy controls.

Yes. SyncRivo maintains pre-completed responses to CAIQ Lite (Cloud Security Alliance Consensus Assessments Initiative Questionnaire), SIG Lite (Standardized Information Gathering questionnaire from Shared Assessments), and a SyncRivo-authored security FAQ that addresses the approximately 80 questions that appear on most enterprise vendor reviews — covering data handling, encryption, access controls, business continuity, sub-processor management, and incident response. Request the questionnaire pack via the Trust Center and we will send it within one business day under NDA. For procurement and security teams running custom questionnaires, the SyncRivo security team can typically complete a 200-300 question custom questionnaire within five business days, and shorter questionnaires (under 100 questions) within two business days. The questionnaire pack also includes a one-page architecture diagram, the most recent SOC 2 bridge letter, the current sub-processor list, the data flow diagram for HIPAA workflows, and links to all public security documentation, which reduces the back-and-forth typical of enterprise vendor reviews.

Annually, by an independent third-party penetration testing firm with offensive-security specialization. Scope covers the SyncRivo public API, authentication and authorization flows, multi-tenancy isolation boundaries, the OAuth credential storage vault, and the customer-facing dashboard. Each engagement uses both authenticated and unauthenticated testing perspectives and includes targeted testing of any new features released in the previous 12 months. A redacted executive summary of scope, methodology, severity-categorized findings, and remediation status is available to Enterprise customers under NDA. SyncRivo additionally runs continuous automated security testing in CI (SAST and dependency scanning) and bug-bounty-style disclosure for security researchers, so issues are surfaced and remediated continuously rather than only during the annual engagement window. Critical-severity findings from any source — pen test, automated scan, or external researcher — are remediated and a fix deployed to production within 7 days of triage, with the security team paged 24/7 for active exploitation indicators.

For confirmed security incidents affecting customer data, SyncRivo notifies affected customers within 72 hours of confirmation, consistent with GDPR Article 33 and the HIPAA Breach Notification Rule timelines. Notifications include the nature of the incident, the categories and approximate volume of affected data, the likely consequences, the measures taken or proposed, and a designated contact for follow-up questions. Enterprise customers receive incident communication directly through their dedicated account team via the secure communication channel established at contract signature, and may opt into status-page subscriptions (status.syncrivo.ai) for operational alerts about service availability that do not rise to the level of a security incident. SyncRivo also commits to providing a public, timestamped post-incident review (PIR) for any incident that affects more than five customers, published on the status page within 14 days of incident closure and including root cause, remediation steps taken, and the structural changes introduced to prevent recurrence.

Self-hosted deployment is available for qualifying Enterprise and regulated-industry customers — typically large healthcare networks, financial institutions, and government contractors with explicit data-residency or air-gapped network requirements that cannot be met by SyncRivo's standard regional hosting. The self-hosted deployment ships as a Kubernetes Helm chart designed to run inside the customer's own VPC with full operational control over secrets, logging, and outbound network egress. SyncRivo provides quarterly software updates, a designated support engineer, and joint architecture review for each customer's deployment topology. See the Self-Hosted feature page for architecture diagrams, infrastructure prerequisites, supported Kubernetes distributions, and the operational responsibility split between SyncRivo and the customer's platform team. Self-hosted licensing is offered as an annual contract and includes the same SLA, security commitments, and BAA/DPA terms as the managed Enterprise plan, with the addition of customer-controlled key management and air-gapped deployment options for the most regulated environments.

Email security@syncrivo.ai with a description of the issue, reproduction steps, and any proof-of-concept materials. SyncRivo acknowledges receipt within 24 hours, triages and assigns a severity within 48 hours, and operates a coordinated disclosure program with a 90-day embargo for researchers — meaning the researcher agrees not to publicly disclose the vulnerability until either the fix is deployed or 90 days have elapsed, whichever is sooner. Researchers acting in good faith under the disclosure policy are protected from legal action under SyncRivo's safe-harbor language. SyncRivo does not currently operate a paid bug bounty but acknowledges contributors publicly with their permission and may issue swag or other recognition for high-quality reports. See the Vulnerability Disclosure Policy at /security for the full terms, scope, and out-of-scope items. Critical-severity findings (RCE, authentication bypass, cross-tenant data access) are typically remediated and a fix deployed to production within 7 days of triage, and the researcher is notified of the deploy timeline as part of the coordinated disclosure handshake.