Security
Last updated: April 7, 2026
SyndTrack handles sensitive financial data, and we take that responsibility seriously. This page describes the security controls we have in place today, the third-party services we rely on, and how you can reach us with security questions.
AES-256 + TLS
Encrypted at rest and in transit
Row-Level Security
Postgres RLS isolates every account
Audit Logging
Every write traced for forensics
Zero Data Selling
We never sell, rent, or trade your data
Current Security Controls
- Encryption in transit and at rest — Customer data is encrypted in transit (TLS) and at rest (AES-256).
- Authentication via Clerk — Authentication is handled by Clerk, supporting email/password, OAuth providers, and multi-factor authentication.
- Payments via Stripe — Payments are processed by Stripe. We never store credit card numbers or bank account details on our servers.
- Record-level access controls — Access to portfolio data is restricted with record-level access controls enforced at the database layer via row-level security.
Subprocessors
We use the following third-party services to operate the platform:
| Provider | Purpose |
|---|---|
| Supabase | Database hosting (PostgreSQL) |
| Clerk | Authentication & identity |
| Stripe | Payment processing |
| Vercel | Application hosting & CDN |
| Anthropic | AI deal scoring (Claude model) |
Data Retention & Deletion
We retain your data for as long as your account is active. If you delete your account, we remove your personal data within 30 days, except where we are required by law to retain it.
You can export your portfolio data at any time from your account settings. To request a full data export or account deletion, contact us at security@syndtrack.io.
Service-level agreement (SLA)
SyndTrack commits to the following uptime targets for paid tiers. Free tier inherits the same infrastructure but does not come with credits.
| Tier | Monthly uptime target | Service credit if missed |
|---|---|---|
| Free | Best effort | N/A |
| Pro | 99.9% | 10% of monthly bill if 99.0%–99.9%; 25% if < 99.0% |
| Advisor | 99.95% | 25% of monthly bill if 99.5%–99.95%; 50% if < 99.5% |
Credits are calculated against your monthly subscription fee for the affected month. Excluded from uptime calculation: scheduled maintenance with at least 48 hours notice (capped at 4 hours/month), force majeure, and outages caused by your own configuration. Live status and historical uptime per subsystem at /status.
To request a credit, email support@syndtrack.io within 30 days of the affected month with the dates and durations. We respond within five business days.
Backup, recovery, and uptime
- Daily automated backups of the production database via Supabase, with point-in-time recovery (PITR) covering the last 7 days.
- Recovery objectives: target RPO ≤ 24 hours (worst case loss = one calendar day of writes), RTO ≤ 4 hours for full restore.
- Data residency: production database hosted in US (AWS us-east-1 region via Supabase). Application + CDN run on Vercel's global edge. Personally identifying portfolio data does not leave the US primary region.
- Status & uptime: live status at /status with per-subsystem health (app, Supabase, Stripe, Resend) and response latency.
Compliance roadmap
SyndTrack does not currently hold SOC 2 attestation. Our path to formal certification is calendared and progressing:
| Milestone | Target | Status |
|---|---|---|
| Internal control inventory + gap analysis | Q2 2026 | Complete |
| Continuous compliance tooling onboarded (Vanta / Drata) | Q3 2026 | In progress |
| SOC 2 Type 1 audit | Q4 2026 | Scheduled |
| SOC 2 Type 2 (90-day observation) | Q2 2027 | Scheduled |
| Annual third-party penetration test | Q1 2027 (recurring annually) | Scheduled |
Already aligned with these SOC 2 Trust Services Criteria
Even without formal attestation, the following SOC 2 Common Criteria controls are operational today. Auditors will verify evidence; the controls themselves are in place.
- CC6.1 Logical access: MFA-capable authentication via Clerk, role-based authorization, Postgres RLS for record-level isolation.
- CC6.7 Encryption: AES-256 at rest, TLS 1.2+ in transit, key management via the cloud provider (Supabase / Vercel).
- CC7.2 System monitoring: Sentry for error tracking, Vercel + Supabase logs centralized, synthetic uptime checks every 60 seconds.
- CC7.3 Incident response: Documented runbooks (incident response, secrets rotation, email deliverability), 24/7 on-call rotation, public status page.
- CC8.1 Change management: All production changes ship via reviewed PRs with CI-gated tests. Audit-logged DB writes for every user-visible change.
- A1.2 Backup & recovery: See "Backup, recovery, and uptime" section above.
Need control evidence for a vendor questionnaire today? Email security@syndtrack.io.
Responsible Disclosure Policy
We welcome reports from security researchers and take every submission seriously. If you believe you have found a vulnerability in SyndTrack, please report it to us privately before any public disclosure so we have a chance to fix it.
How to report
- Email security@syndtrack.io with a description of the issue, steps to reproduce, and any proof-of-concept material. Machine-readable contact info is also published at /.well-known/security.txt per RFC 9116.
- Please give us a reasonable time to respond and remediate before any public disclosure. We aim to acknowledge reports within two business days and provide a status update within seven.
- Do not access or modify data that does not belong to you, run automated scanners against production without coordinating with us first, or perform any denial-of-service testing.
Scope
- In scope:
www.syndtrack.ioand any publicly reachable API underwww.syndtrack.io/api. - Out of scope: third-party services we depend on (Clerk, Stripe, Supabase, Vercel, Anthropic, Resend), social engineering of our staff, and physical attacks. Please report those directly to the respective vendors.
Safe harbor
We will not pursue legal action against researchers who make a good-faith effort to comply with this policy. If you are unsure whether a planned test falls within scope, email us first and we will confirm.
Security Contact
Security questions, vulnerability reports, or data requests can be sent to security@syndtrack.io.