Trust Center

At a glance

Data region

EU (Frankfurt) by default. No data leaves the EU.

Encryption

Encrypted at rest; TLS 1.3 in transit. BYOK supported for enterprise tier.

EU AI Act

Article 50 transparency obligations met before the 2 Aug 2026 enforcement date. Syncanix is the provider of a limited-risk AI system; the GPAI model duties sit upstream.

Breach notice

24-hour notification SLA to customers from confirmed breach (DPA Art. 33).

DSAR SLA

24-hour acknowledgement; 30-day fulfilment (GDPR Art. 12).

SOC 2

Type I evidence collection begins month 1 post-launch; Type II by month 9.

Security

Production runs in the EU (Frankfurt) under a dedicated, fully isolated cloud account. All data is encrypted at rest and in transit with TLS 1.3. Least-privilege access on every workload and database role; default-on authentication on every API call; CSP / HSTS / X-Frame-Options on every customer-facing response.

Read the full security overview →

Subprocessors

Syncanix relies on 7 sub-processors today — model providers (Anthropic, OpenAI), the AWS production region (which also runs retrieval embeddings + reranking via Amazon Bedrock, in-region in the EU), the identity provider (Auth0), error tracking (Sentry), billing (Stripe), and transactional email (Postmark). Each one carries the data categories explicitly required by its purpose and no more. A 30-day change-notice policy applies to every material change (new sub-processor, new data category, location move).

Read the full subprocessor list →

DPA and cross-border transfers

A bilateral DPA covers GDPR Article 28 (processor obligations) + Article 32 (security measures) + Article 33 (24-hour breach notification). Cross-border transfers use SCCs Module Two (processor-to-processor), with the UK ICO IDTA addendum for UK transfers and a Swiss FADP rider for Swiss transfers. Regional addenda cover UAE PDPL, Saudi PDPL, Israel Amendment 13, Egypt, Qatar, Bahrain, Oman, and Jordan.

Read the full DPA brief →

Privacy

Processor for customer content, controller for dashboard accounts. Defaults: 30-day retention, no training of foundation models on customer data, EU-only data path. GDPR rights honoured per Article (15 / 16 / 17 / 20 / 25 / 32 / 33); Article 22 (automated decisioning) stay-out by design — every high-impact action has a human-in-the-loop toggle. CCPA + 19 US state laws covered by superset; MENA stack spans UAE PDPL, Saudi PDPL, Israel Amendment 13.

Read the full privacy notice →

AI compliance

The EU AI Act becomes enforceable on 2 Aug 2026. Syncanix is the provider of a limited-risk AI system; the GPAI model duties under Article 53 sit upstream with Anthropic and OpenAI. Article 50 transparency met before the enforcement date: end-user "interacting with an AI system" disclosure + persistent chat-header indicator, translated into the 6 launch languages. Model cards, system card, and bias-evaluation methodology published on the AI compliance page.

Read the full AI compliance brief →

Compliance certifications

Concrete targets, not "we plan to": SOC 2 Type I Q3 2026 (Vanta, auditor selection in progress), SOC 2 Type II Q4 2026, ISO 27001 Q4 2026, EU AI Act Article 50 verified before 2 Aug 2026, GDPR DPA available now, CCPA / CPRA available now. HIPAA and FedRAMP are explicitly out of v1 scope.

Read the full compliance status →

DSAR — data subject access requests

Requests are acknowledged within 24 hours and fulfilled within 30 days, in line with GDPR Article 12. The 5 supported request types map to GDPR Articles 15 (Access), 16 (Rectification), 17 (Erasure), 20 (Portability), and 21 (Objection).

Submit a DSAR →

Languages

The product, the AI disclosure, and the customer-facing legal notices are translated into the 6 launch languages: English, Spanish, French, German, Arabic, and Hebrew. Arabic and Hebrew are rendered right-to-left end-to-end, including icons that carry directional meaning. Native-speaker review is performed before each release.