Syncanix
Trust Center
Every question a B2B procurement, security, or privacy team typically asks about a new AI vendor — answered here. Specific numbers, current commitments, no marketing adjectives. If something is missing, reach admin@syncanix.com and we will publish the answer for the next reader.
At a glance
- Data region
- All stored data lives in the EU (Frankfurt). AI replies are generated transiently by the model provider — excluded from training under its API terms; ZDR agreements are being finalized.
- Encryption
- Encrypted at rest; TLS 1.3 in transit. BYOK supported for enterprise tier.
- EU AI Act
- Article 50 transparency obligations met before the 2 Aug 2026 enforcement date. Syncanix is the provider of a limited-risk AI system; the GPAI model duties sit upstream.
- Breach notice
- 24-hour notification SLA to customers from confirmed breach (DPA Art. 33).
- DSAR SLA
- 24-hour acknowledgement; 30-day fulfilment (GDPR Art. 12).
- SOC 2
- Type I evidence collection begins month 1 post-launch; Type II by month 9.
Where your data flows
One conversation turn, end to end — what runs where, what is stored, and what is transient.
Your user writes a message
TransientEU (Frankfurt)The chat widget sends it over TLS to the Syncanix API, where every request is bound to your tenant identity before anything else happens.
Conversation and catalog storage
StoredEU (Frankfurt)The transcript, your capability catalog, and your settings are written to tenant-isolated storage, encrypted at rest.
Documentation retrieval
TransientEU (Frankfurt)When your docs ground an answer, embeddings and reranking run in-region on Amazon Bedrock.
AI reply generation
TransientModel provider (outside the EU)The message and retrieved context are processed transiently by the model provider to generate the reply — excluded from training under its API terms; a Zero Data Retention agreement is being finalized.
The reply streams back
TransientEU (Frankfurt)The answer streams through the Syncanix API to your user’s browser. What persists afterwards is the stored transcript from step 2.
Security
Production runs in the EU (Frankfurt) under a dedicated, fully isolated cloud account. All data is encrypted at rest and in transit with TLS 1.3. Least-privilege access on every workload and database role; default-on authentication on every API call; CSP / HSTS / X-Frame-Options on every customer-facing response.
Live system status
A public status page shows the live availability of the API, widget delivery, dashboard and website — refreshed every five minutes, with current incidents and scheduled maintenance windows.
Security questionnaire
The common review questions (CAIQ-Lite domains, VSA-Core areas) answered in advance — honest yes / partial / planned with the detail behind each.
Accessibility
WCAG 2.1 AA is the engineering bar. The statement covers per-surface conformance status, the measures behind it, and known limitations.
Subprocessors
Syncanix relies on 6 sub-processors today — model providers (Anthropic, OpenAI), the AWS production region (which also runs retrieval embeddings + reranking via Amazon Bedrock, in-region in the EU), the identity provider (Auth0), consent-based product analytics (PostHog), and billing (Paddle, our merchant of record). Each one carries the data categories explicitly required by its purpose and no more. A 30-day change-notice policy applies to every material change (new sub-processor, new data category, location move).
DPA and cross-border transfers
A bilateral DPA covers GDPR Article 28 (processor obligations) + Article 32 (security measures) + Article 33 (24-hour breach notification). Cross-border transfers use SCCs Module Two (processor-to-processor), with the UK ICO IDTA addendum for UK transfers and a Swiss FADP rider for Swiss transfers. Regional addenda cover UAE PDPL, Saudi PDPL, Israel Amendment 13, Egypt, Qatar, Bahrain, Oman, and Jordan.
Privacy
Processor for customer content, controller for dashboard accounts. Defaults: 30-day retention, no training of foundation models on customer data, EU residency for all stored data. GDPR rights honoured per Article (15 / 16 / 17 / 20 / 25 / 32 / 33); Article 22 (automated decisioning) stay-out by design — every high-impact action has a human-in-the-loop toggle. CCPA + 19 US state laws covered by superset; MENA stack spans UAE PDPL, Saudi PDPL, Israel Amendment 13.
AI compliance
The EU AI Act becomes enforceable on 2 Aug 2026. Syncanix is the provider of a limited-risk AI system; the GPAI model duties under Article 53 sit upstream with Anthropic and OpenAI. Article 50 transparency met before the enforcement date: end-user "interacting with an AI system" disclosure + persistent chat-header indicator, translated into the 6 launch languages. Model cards, system card, and bias-evaluation methodology published on the AI compliance page.
Compliance certifications
Concrete targets, not "we plan to": SOC 2 Type I Q3 2026 (Vanta, auditor selection in progress), SOC 2 Type II Q4 2026, ISO 27001 Q4 2026, EU AI Act Article 50 verified before 2 Aug 2026, GDPR DPA available now, CCPA / CPRA available now. HIPAA and FedRAMP are explicitly out of v1 scope.
DSAR — data subject access requests
Requests are acknowledged within 24 hours and fulfilled within 30 days, in line with GDPR Article 12. The 5 supported request types map to GDPR Articles 15 (Access), 16 (Rectification), 17 (Erasure), 20 (Portability), and 21 (Objection).
Languages
The product, the AI disclosure, and the customer-facing legal notices are translated into the 6 launch languages: English, Spanish, French, German, Arabic, and Hebrew. Arabic and Hebrew are rendered right-to-left end-to-end, including icons that carry directional meaning. Native-speaker review is performed before each release.
Contact
- Procurement, vendor questionnaires, and general trust questions: admin@syncanix.com.
- DSAR, GDPR escalation, and DPA questions: admin@syncanix.com.
- Vulnerability disclosure and security incidents: admin@syncanix.com.