SyncLynSyncLyn
Trust

Security

How we protect your data and ours. Practical controls, no vague reassurances.

Encryption in transit and at rest

All traffic to SyncLyn uses TLS 1.2 or higher. Data at rest is encrypted with AES-256 on managed cloud storage. Database backups are encrypted with separate keys.

Authentication

Passwords are stored as bcrypt hashes — never plaintext. Sessions are signed JWTs with short expiry. Optional Google sign-in is available; SAML SSO is available on Business plans for enterprise customers.

Role-based access control

Every user has a role (Agent, Recruiter, Manager, Company Admin, Super Admin). Sensitive operations such as billing changes, audit log access, and user provisioning are gated to Company Admin and above.

Audit logging

Admin actions, ticket lifecycle events, interview scheduling, and API key activity are recorded in an append-only audit log. Company Admins can review the log and export to CSV or JSON.

Backups and recovery

Database snapshots are taken daily and retained for 30 days. Point-in-time recovery is available for the most recent 7 days. We test restore procedures quarterly.

Payment security

We never store card details. All payments are processed by Stripe, which is PCI DSS Level 1 certified. Card data travels directly from your browser to Stripe, never through our servers.

Webhook signature verification

All incoming Stripe webhooks are verified against a signed HMAC before any state change. Unsigned or tampered requests are rejected. Each event ID is recorded once — retries are no-ops, never double-charges.

Provider strict mode

In production, integrations with third-party services (WhatsApp, email, calendar, Stripe Connect) operate in a strict mode that rejects unconfigured credentials with a clear error instead of falling back to simulated providers. There is no path through which a misconfigured environment silently sends a real message.

Responsible disclosure

Found a security issue?

Please email security@synclyntech.com with details. We respond within 48 hours and credit researchers who report verified issues. Do not disclose publicly until we have had a reasonable chance to fix.

Compliance

SyncLyn is operated by LaneX Holdings Ltd under the UK Data Protection Act 2018 and UK GDPR. We are working toward SOC 2 Type II and ISO 27001 attestations.