Security

Built for financial data

Synchronized handles sensitive financial documents and structured client data. Security is not a feature — it is the architecture.

AES-256 + TLS 1.3Encryption everywhere

SOC 2 Type IIAudit in progress

Firm isolationZero cross-tenant access

Full provenanceEvery number is traceable

99.9% uptimeSLA guaranteed

Human-in-the-loopAI proposes, you decide

Encryption

All data is encrypted at every stage — in transit, at rest, and in storage. Keys are managed via AWS KMS with automatic rotation.

In transit

TLS 1.3 on all API traffic, uploads, and inter-service calls

At rest

AES-256 for documents, extracted fields, and graph data

Document storage

Isolated S3 with server-side encryption and presigned URLs

client → api.synchronized.co

TLS 1.3 · ECDHE-RSA-AES256-GCM-SHA384

Certificate: *.synchronized.co

HSTS: max-age=63072000; includeSubDomains

api → postgres (encrypted)

AES-256 · AWS KMS key rotation

Backup: continuous + point-in-time recovery

documents → S3 (SSE-KMS)

Access: presigned URL · 15min expiry

Role Matrix

Role	Read	Write	Approve	Admin
Firm Admin	✓	✓	✓	✓
Advisor	✓	✓	✓	—
Analyst	✓	✓	—	—
Compliance	✓	—	✓	—
Operations	✓	✓	—	—
Client	✓	—	—	—

Enforced at API layer via Pundit policies. All queries auto-scoped to firm.

Access Control

Every data model is scoped to a firm. JWT tokens carry firm context, and all queries are automatically filtered. Six granular roles control exactly who can read, write, approve, and administrate.

Multi-tenancy

Zero cross-tenant access by design — firm_id enforced at every layer

Session management

24hr JWT expiry, JTI revocation, automatic idle timeout

Audit & Provenance

Every piece of data in Synchronized maintains a chain of custody — from the original document to the final verified value.

Document ingestedMar 21, 10:42 AM

tax_return_2024.pdf · page 1, line 9

Field extractedMar 21, 10:42 AM

Gross Income → $285,000 · confidence: 0.97

Proposed to advisorMar 21, 10:43 AM

Draft record #4821 · 142 fields

Reviewed by advisorMar 21, 11:15 AM

J. Smith approved · 141 accepted, 1 corrected

Synchronized to graphMar 21, 11:15 AM

Smith Household model updated · v12

Infrastructure

Cloud hosting

AWS with Railway orchestration. Continuous backups with point-in-time recovery.

Network isolation

Private inter-service communication. Only GraphQL API and upload paths are public.

Dependency security

Automated vulnerability scanning. Verified base images. Zero secrets in source.

Compliance

SOC 2 Type II

Audit in progress. Designed from ground up for Trust Services Criteria: security, availability, confidentiality.

Data retention

Configurable per firm. Soft-delete architecture — recoverable during retention, permanently purged after.

Data residency

All processing within AWS US regions. Region-specific deployment for enterprise.

AI & Document Processing

AI proposes. Humans approve. No extracted data is treated as truth until an authorized user reviews and verifies it. The system never makes autonomous decisions about financial data.

Human-in-the-loop

Every extraction is a proposal. Advisors see confidence scores, review each field, and explicitly approve before anything enters the system of record.

Model isolation

Client data is never used to train or fine-tune models. Document processing is stateless — no client data persists in the AI pipeline after processing completes.

Confidence scoring

Every field includes a numerical confidence score. Low-confidence extractions are flagged automatically. You always know what needs your attention.

Questions about security?

We are happy to discuss our security practices, provide documentation for your compliance team, or schedule a technical walkthrough of our architecture.

Contact security team