[ Sign In / Go Premium ]

Security

Trust Center

How Synapse OS protects your API keys, prompts, and customer data.

Overview

This page is maintained by Synapse OS to answer common security and privacy questions about our platform. It describes our current practices and the controls we have enabled. It is not an independent certification or legal opinion.

If you are evaluating Synapse OS for a team or enterprise deployment, you are welcome to share this page with your security reviewer. For deeper questions, contact us at founder@synapseui.dev.

Data Architecture

Synapse OS sits as a thin proxy between your application and the model provider. Requests flow through our edge, are inspected for policy, attribution, and cost governance, and are then forwarded to the upstream provider.

  • What we store: token counts, cost estimates, workspace identifiers, guardrail events, and billing records.
  • What we do not store: the text content of prompts, completions, embeddings, or tool outputs.
  • What passes through: request headers and body are forwarded to the model provider; the body is not retained in our systems.

Encryption

We encrypt data in transit and at rest using industry-standard mechanisms:

  • In transit: all traffic to and from Synapse OS uses TLS 1.2 or higher.
  • At rest: proxy keys and API credentials are encrypted with AES-256.
  • Authentication: user sessions are managed through our auth provider using secure, httpOnly-compatible tokens.

Read-Only Tracking

Synapse OS tracks only the metadata required to run the service. This read-only telemetry lets us attribute cost, enforce budgets, and detect anomalies without touching your actual prompt or response text.

  • Token counts per request, user, and workspace.
  • Model identifier, latency, and error codes.
  • Guardrail triggers such as budget caps or recursive-loop flags.
  • No content inspection, no prompt logging, no response retention.

Prompt & Response Privacy

We designed Synapse OS so that prompt and response text are never read, logged, or stored by our infrastructure. The proxy forwards the request body to the upstream model provider and then streams the response back to your application.

This means your customer data, proprietary prompts, and model outputs remain under your control. We cannot reproduce, analyse, or train on your prompt text because we do not retain it.

Subprocessors & Infrastructure

We rely on a small set of trusted service providers to operate the Services:

  • Supabase โ€” authentication, database, and secure storage.
  • Stripe โ€” payment processing, billing, and the customer portal.
  • Cloudflare / Lovable Cloud โ€” hosting, edge delivery, and security.
  • Google Analytics โ€” anonymised website analytics and usage insights.

All subprocessors are bound by confidentiality and security obligations consistent with our practices and applicable data protection law.

Retention & Deletion

We retain metadata only for as long as necessary to provide the Services, enforce subscriptions, and comply with legal obligations:

  • Usage metadata: retained for the lifetime of your workspace plus a limited operational window.
  • Authentication data: retained for the lifetime of your account plus a reasonable grace period.
  • Analytics data: retained according to the policies of our analytics providers.

You can request deletion of your workspace and associated metadata by contacting us. Prompt and response text are never stored, so there is nothing to delete on that front.

Incident Response

If we become aware of a security incident that affects customer data or service integrity, we will:

  • Investigate and contain the issue as quickly as reasonably possible.
  • Notify affected customers without undue delay, typically via email, with relevant details and recommended actions.
  • Document the incident, remediate root causes, and review controls to reduce recurrence.

To report a vulnerability or security concern, email founder@synapseui.dev.

Shared Responsibility

Some of the protections described on this page are enabled by the Lovable Cloud platform, which provides the underlying hosting, edge network, and managed database infrastructure. Synapse OS configures and operates the application layer on top of that platform.

Customers are responsible for keeping their own credentials secure, configuring workspace access appropriately, and ensuring their use of the Services complies with applicable laws and their own policies.

Security Contact

For security questions, vulnerability reports, or incident notifications, contact:

founder@synapseui.dev

Want the legal details? Review our Privacy Policy and Terms of Service.