SYNPHORIA

Legal

Data Safety & Security Statement

This statement describes Synphoria's technical and organisational measures to protect user data and Service operations, and how incidents are managed responsibly.

Last updated: 18 February 2026

1. Purpose

This statement explains the security controls Synphoria applies to protect user data and the Service. It complements the Privacy Policy and Safeguarding Policy. It is not a guarantee that incidents will never occur, but describes how risk is reduced and how response is handled.

2. Security Governance

  • Security by design in product and engineering lifecycle.
  • Least-privilege access controls for systems and data.
  • Separation of duties for sensitive operations, especially key-related actions.
  • Role-appropriate security and confidentiality training for staff and contractors.

3. Encryption and Transport Security

  • Industry-standard encryption for data in transit and at rest.
  • Encrypted transport channels (for example, TLS 1.3) between user devices and servers.
  • Encrypted storage for chat and other sensitive data (for example, AES-256 with authenticated modes such as GCM).
  • Message-level protections may include unique nonces/IVs and authentication tags to detect tampering.

4. Key Management and Controlled Decryption

Cryptographic keys are managed through secure key-management services, with hardware-backed protections where applicable, and strict access controls.

4.1 Default Confidentiality

By default, conversations are encrypted and not routinely accessible in plaintext to humans.

4.2 Exceptional Access

In limited safeguarding or major security scenarios, responsible personnel may access minimum necessary chat content to verify risk and protect users or the Service.

  • Every decryption-capable request is audit logged.
  • A reason is required and must be recorded.
  • Requests can be initiated only by senior leadership or an expressly authorised representative.
  • Access is role-restricted, time-limited, and scoped to minimum necessary data.
  • Audit records are reviewed and retained for accountability.

5. Access Controls

  • Role-based access control for internal and administrative tools.
  • MFA for privileged operations where appropriate.
  • Logging and monitoring of privileged access and high-risk actions.
  • Secure onboarding and offboarding to provision and revoke access promptly.

6. Monitoring, Logging and Auditability

  • Security logs for authentication, access attempts, anomalies, and system events.
  • Audit logs for sensitive actions, including permission changes and decryption/key-related actions.
  • Safeguarding incident logs documenting decisions and escalation steps.
  • Logs are designed to minimize sensitive content where possible.

7. Secure Development and Vulnerability Management

  • Secure development lifecycle with review and change controls for security-critical changes.
  • Dependency and patch management to reduce known vulnerabilities.
  • Environment separation (for example, development and production) with controlled access.
  • Periodic security testing, including vulnerability scanning and penetration testing where applicable.

8. Data Minimisation, Retention and Deletion

Synphoria aims to collect and retain only data necessary to provide and protect the Service. Retention periods depend on data category, legal obligations, and security needs.

  • User controls may include conversation deletion and consent management where available.
  • Account deletion triggers deletion or anonymisation, subject to legal/security retention requirements.
  • Safeguarding records are retained for appropriate accountability periods.

9. Third-Party Risk Management

Synphoria uses vetted providers (for infrastructure, communications, payment processing, and model services) with contractual safeguards and provider security review processes.

10. Incident Response

  • Detection and triage of potential incidents.
  • Containment and remediation to limit impact and address root causes.
  • Required notifications to authorities or users within legal timeframes where applicable.
  • Post-incident review and control improvements.

11. User Account Safety Guidance

  • Use a strong unique password.
  • Keep device security controls and updates enabled.
  • Be cautious about sharing highly sensitive information online.
  • Report suspected unauthorised access to contact@synphoria.app.

12. Contact

Security and safeguarding: security@synphoria.app. Privacy: contact@synphoria.app. Postal address: SYNPHORIAAI sp. z o.o., ul. Migowska 54D/4, 80-287 Gdansk, Poland.

Security contact: security@synphoria.app | contact@synphoria.app