Security
Trust Center
How Synapse OS protects your API keys, prompts, and customer data.
Overview
This page is maintained by Synapse OS to answer common security and privacy questions about our platform. It describes our current practices and the controls we have enabled. It is not an independent certification or legal opinion.
If you are evaluating Synapse OS for a team or enterprise deployment, you are welcome to share this page with your security reviewer. For deeper questions, contact us at founder@synapseui.dev.
Data Architecture
Synapse OS sits as a thin proxy between your application and the model provider. Requests flow through our edge, are inspected for policy, attribution, and cost governance, and are then forwarded to the upstream provider.
- What we store: token counts, cost estimates, workspace identifiers, guardrail events, and billing records.
- What we do not store: the text content of prompts, completions, embeddings, or tool outputs.
- What passes through: request headers and body are forwarded to the model provider; the body is not retained in our systems.
Encryption
We encrypt data in transit and at rest using industry-standard mechanisms:
- In transit: all traffic to and from Synapse OS uses TLS 1.2 or higher.
- At rest: proxy keys and API credentials are encrypted with AES-256.
- Authentication: user sessions are managed through our auth provider using secure, httpOnly-compatible tokens.
Read-Only Tracking
Synapse OS tracks only the metadata required to run the service. This read-only telemetry lets us attribute cost, enforce budgets, and detect anomalies without touching your actual prompt or response text.
- Token counts per request, user, and workspace.
- Model identifier, latency, and error codes.
- Guardrail triggers such as budget caps or recursive-loop flags.
- No content inspection, no prompt logging, no response retention.
Prompt & Response Privacy
We designed Synapse OS so that prompt and response text are never read, logged, or stored by our infrastructure. The proxy forwards the request body to the upstream model provider and then streams the response back to your application.
This means your customer data, proprietary prompts, and model outputs remain under your control. We cannot reproduce, analyse, or train on your prompt text because we do not retain it.
Subprocessors & Infrastructure
We rely on a small set of trusted service providers to operate the Services:
- Supabase โ authentication, database, and secure storage.
- Stripe โ payment processing, billing, and the customer portal.
- Cloudflare / Lovable Cloud โ hosting, edge delivery, and security.
- Google Analytics โ anonymised website analytics and usage insights.
All subprocessors are bound by confidentiality and security obligations consistent with our practices and applicable data protection law.
Retention & Deletion
We retain metadata only for as long as necessary to provide the Services, enforce subscriptions, and comply with legal obligations:
- Usage metadata: retained for the lifetime of your workspace plus a limited operational window.
- Authentication data: retained for the lifetime of your account plus a reasonable grace period.
- Analytics data: retained according to the policies of our analytics providers.
You can request deletion of your workspace and associated metadata by contacting us. Prompt and response text are never stored, so there is nothing to delete on that front.
Incident Response
If we become aware of a security incident that affects customer data or service integrity, we will:
- Investigate and contain the issue as quickly as reasonably possible.
- Notify affected customers without undue delay, typically via email, with relevant details and recommended actions.
- Document the incident, remediate root causes, and review controls to reduce recurrence.
To report a vulnerability or security concern, email founder@synapseui.dev.
Security Contact
For security questions, vulnerability reports, or incident notifications, contact:
Want the legal details? Review our Privacy Policy and Terms of Service.