Your trust is our top priority. Here's how we protect your data.
Zero Known Vulnerabilities
Last security audit: October 12, 2025 β’ All dependencies up-to-date
100%
Secure
Our Security Commitment
At SyncScript, security isn't an afterthoughtβit's built into every layer of our platform. We use industry-leading practices to protect your data, maintain privacy, and ensure service reliability.
Infrastructure Security
π Encryption Everywhere
In Transit: All data encrypted with TLS 1.3 (HTTPS)
At Rest: Database encryption with AES-256
Passwords: Hashed with bcrypt (never stored in plain text)
Sessions: Encrypted, HTTP-only, secure cookies
π’ Enterprise-Grade Hosting
Provider: Vercel (SOC 2 Type II certified)
CDN: Global edge network for performance & security
DDoS Protection: Automatic mitigation at edge
Uptime: 99.99% SLA with automatic failover
Application Security
Security Headers
We implement 7 security headers to protect against common attacks:
Content-Security-Policy
Prevents XSS attacks
X-Frame-Options
Prevents clickjacking
X-Content-Type-Options
Prevents MIME sniffing
Strict-Transport-Security
Forces HTTPS
Permissions-Policy
Limits browser features
Referrer-Policy
Controls referrer info
X-DNS-Prefetch-Control
Prevents DNS leaks
Input Validation & Sanitization
All user input validated on client and server
SQL injection prevention through parameterized queries
XSS prevention through output encoding
CSRF protection with secure tokens
Authentication & Access Control
Powered by Auth0
We use Auth0, an industry-leading identity platform trusted by thousands of companies.
β Multi-factor authentication (MFA) available
β OAuth 2.0 / OpenID Connect standards
β Secure password policies enforced
β Brute force protection built-in
β Session management with automatic expiry
Role-Based Access Control (RBAC)
Users can only access their own data
Team features have granular permissions
API keys scoped to specific resources
Admin actions require additional verification
Data Protection & Privacy
What We Collect
Account Data: Email, name (encrypted)
Usage Data: Tasks, projects, notes (encrypted)
Analytics: Page views, feature usage (anonymized)
We DON'T collect: Credit cards, SSN, sensitive personal data
Data Isolation
Each user's data is logically separated
Database queries scoped to authenticated user
No cross-user data access possible
Regular audits to verify isolation
Data Retention
Active accounts: Data retained while account active
Deleted accounts: Permanent deletion within 30 days
Backups: Encrypted, retained for 90 days
Logs: Security logs retained for 90 days
Monitoring & Incident Response
24/7 Monitoring
Automated security scanning (daily)
Real-time error tracking and alerting
Performance monitoring (Core Web Vitals)
Uptime monitoring with instant alerts
Suspicious activity detection
Incident Response Plan
If a security incident occurs, we:
Detect and contain the issue immediately
Assess impact and affected users
Notify affected users within 72 hours (GDPR)
Implement fixes and preventive measures
Publish transparent post-mortem
Compliance & Certifications
πͺπΊ GDPR Compliant
Full compliance with EU General Data Protection Regulation
πΊπΈ CCPA Compliant
California Consumer Privacy Act requirements met
π SOC 2 Type II
Infrastructure hosted on SOC 2 certified platform
π‘οΈ OWASP Top 10
Protected against all OWASP Top 10 vulnerabilities
Your Security Responsibilities
While we handle security at the platform level, you can help by:
β Best Practices
β Use a strong, unique password (12+ characters, mixed case, numbers, symbols)
β Enable multi-factor authentication (MFA)
β Keep your email secure (it's your recovery method)
β Log out on shared/public computers
β Don't share your password with anyone
β Review active sessions regularly
β Report suspicious activity immediately
β οΈ What NOT to Do
β Share your password with others
β Use the same password on multiple sites
β Click suspicious links in emails
β Save password in browser on public computers
β Ignore security warnings
Responsible Disclosure
We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:
We'll acknowledge receipt within 24 hours and keep you updated on our progress.
Bug Bounty: While we don't currently offer a formal bug bounty program, we deeply appreciate responsible disclosure and will recognize contributors publicly (with permission).