Privacy

Roles

Syncanix operates as a data processor for the customer-content data flowing through the product (chat conversations, document content, retrieval embeddings, tool-call payloads) and as a data controller for dashboard account data (operator email, role, MFA status, audit logs of operator actions). The split is reflected in the DPA and in the per-data-type retention table below.

Privacy by design defaults

• EU-only data path by default. Production runs in the EU (Frankfurt). No customer data leaves the EU unless the customer explicitly opts into a different region.
• No training of foundation models on customer data. Anthropic and OpenAI traffic flows under Zero Data Retention (ZDR) contracts. Retrieval embeddings and reranking run on Amazon Bedrock in the EU (eu-central-1); AWS does not train its models on customer content.
• Defaults tuned for minimisation. 30-day default retention on chat content; opt-in (not opt-out) for cross-customer analytics; opt-out by default for A/B prompt testing on a per-customer basis.

Retention (per tier)

Customers can shorten retention from the dashboard at any time. Enterprise customers can extend retention to support legal-hold or regulatory obligations.

GDPR rights

Every GDPR right is honoured end-to-end, with specific implementations per Article:

• Article 15 (Access). End users can view their conversation history via the host-site link; admins can pull a single user's full history for DSAR fulfilment. JSON export delivered within the 30-day SLA.
• Article 16 (Rectification). Edit/redact API plus a dashboard workflow. Redactions preserve message structure so subsequent retrieval doesn't return stale content.
• Article 17 (Erasure). Cascading delete propagates through messages, embeddings, vector indexes, and any fine-tunes. 30-day SLA with a soft-delete buffer to recover from accidental requests.
• Article 20 (Portability). Export delivered in both JSON (machine-readable, for portability to another vendor) and PDF (human-readable, for legal / dispute contexts).
• Article 22 (Automated decisioning). Syncanix stays out by design — no solely-automated decisions with legal or significant effect. Every high-impact tool call has a human-in-the-loop toggle and step-up authentication gates.
• Article 25 (Privacy by design). Defaults: 30-day retention, EU-only data path, no training on customer data.
• Article 32 (Security). AES-256 at rest; TLS 1.3 in transit; least-privilege access; full SOC 2 evidence collection in progress.
• Article 33 / 34 (Breach notification). Customers are notified within 24 hours of confirmation of a personal-data breach. End-user notification obligations remain with the customer (controller).

PII handling

PII is treated as load-bearing data, not best-effort. Discovery and ingest layers flag PII fields at extraction time:

• Field-level (catalog). At discovery, the enrichment LLM flags fields likely to contain PII (email, phone, SSN, credit card, IP). Operators confirm or reject. The renderer redacts based on the viewer's pii:read scope.
• Free-text (chat messages). A redaction pass runs on the LLM's final message before storage. Tokens are preserved ([email], [phone]) so the chat reads naturally without leaking raw values.
• Storage layer. PII is redacted on ingest — the raw value never lands on disk. Reviewers without pii:read scope see the redacted view.

Source-code privacy

Syncanix's customer-side discovery CLI runs in the customer's own environment. Only structured catalog metadata leaves the customer's network — source files never upload. Per-endpoint handler text (≤2 KB) sent to Anthropic is processed-and- discarded under their Zero Data Retention contract.

Syncanix never indexes source code server-side. Discovery is event-driven and stateless; the customer's repository content stays in the customer's repository.

BYOK (bring-your-own-key). Enterprise customers can supply their own Anthropic, OpenAI, or Bedrock keys; the LLM provider never sees Syncanix as an intermediary. .syncanixignore excludes paths from discovery by default ( (*.env, secrets/**, fixtures/**, __tests__/**, vendored/**, node_modules/**).

US privacy laws

The product is implemented to a GDPR + CCPA superset that maps to the 19+ state-level privacy laws in force (CA CCPA / CPRA, VA VCDPA, CO CPA, CT CTDPA, UT UCPA, TX TDPSA, FL FDBR, OR OCPA, MT MCDPA, IA ICDPA, TN TIPA, IN ICDPA, DE DPDPA, NH SB 255, NJ SB 332, MN MCDPA, MD MODPA). Syncanix does not sell or share personal information as those terms are defined by the CCPA / CPRA; California residents can exercise their rights to opt out, access, correct, or delete through the data subject request form →. CPPA ADMT rules (effective 1 Jan 2026) are handled by the same Article 22 posture above.

MENA and Israel

UAE Federal Decree-Law 45/2021 (PDPL) + DIFC + ADGM; KSA PDPL (full enforcement since 14 Sep 2024) with 72-hour breach notice to SDAIA and local-representative provisioning when revenue thresholds trigger; Israel Privacy Protection Law + Amendment 13 (effective 15 Aug 2025) with mandatory Privacy Protection Officer + fines up to 5% turnover; Egypt Law 151/2020; Qatar Law 13/2016; Bahrain PDPL 30/2018; Oman Royal Decree 6/2022; Jordan PDPL 24/2023. Data residency in a Saudi region (Riyadh) lights up when a paying KSA customer requires it.

Multi-tenant isolation

Tenant boundaries are enforced at every layer: application-level scoping on every query, database row-level security as defence-in-depth, and per-tenant access scoping on the LLM and storage paths. Nightly synthetic probes exercise the boundaries — Synthetic User A in tenant A asks for User B's data; expected outcome is refusal; any failure triggers a critical alert and deploy pause.

DSAR procedure

Data subject access requests (Articles 15 / 16 / 17 / 20 / 21) are acknowledged within 24 hours and fulfilled within 30 days, in line with GDPR Article 12. The supported request types are access, erasure, portability, rectification, and objection. Use the self-service DSAR form → or email admin@syncanix.com directly — the same SLAs apply either way.

Related

• Subprocessor list → — the entities Syncanix relies on, with per-row purpose + transfer mechanism.
• Security overview → — encryption, IAM, headers, incident response.
• Compliance status → — SOC 2 / ISO 27001 / EU AI Act / GDPR / CCPA status.