Synlixa — Security & Compliance

Last updated: 22 Aug 2025

Scope: Applies to synlixa.com, our sub-domains, and any products, dashboards, APIs, and voice/chat agents that link to this page ("Services").

This page describes how Synlixa protects data, complies with applicable messaging and privacy rules, and responds to security events. It complements—does not replace—our Privacy Policy and Terms of Service.

1) Security Program Overview

Risk-based approach: Written information security program (WISP) aligned to common controls (least privilege, need-to-know, encryption, change control, incident response).

Accountability: Security is owned by company leadership; all personnel complete security & privacy training at onboarding and annually thereafter.

Data minimization: We only collect data needed to provide the Services. Sensitive data (e.g., payment cards, government IDs, protected health info) should not be sent to us unless we agree in writing.

2) Data Classification & Handling

Classes: Public • Internal • Confidential • Restricted (PII/customer content).

Handling: Restricted data is encrypted, access-controlled, and logged. Confidential is access-controlled. Internal is limited to employees/contractors. Public has no restrictions.

Logging: PII is masked in routine logs where feasible.

3) Encryption & Key Management

In transit: TLS 1.2+ for all external connections. HSTS and modern cipher suites where supported.

At rest: Provider-managed encryption (e.g., AES-256) for databases, object storage, and backups.

Keys: Managed by our cloud provider KMS or equivalent; access is limited and logged.

4) Access Control & Identity

Principle of least privilege: Role-based access control (RBAC); access granted on documented need and reviewed at least quarterly.

MFA: Multi-factor authentication required for administrative and production access.

Segregation: Separate production and non-production environments; separate service accounts with scoped permissions.

Offboarding: Access is revoked promptly upon role change or termination.

5) Network & Infrastructure Security

Segmentation & firewalls: Network security groups and deny-by-default rules; only required ports are exposed.

Patching: OS, containers, and managed services patched on a regular cadence; critical security fixes expedited.

Backups: Encrypted, periodically tested; typical rolling retention ≈35 days (see §13).

6) Application Security

Secure SDLC: Code review, dependency scanning, and secret scanning in CI/CD.

Vulnerability management:

72h

Critical

High

30d

Medium

90d

Low

Testing: Periodic SAST/DAST; third-party penetration testing at least annually (or after major changes).

Change management: Peer review and automated checks before deploy; rollbacks available.

7) Vendor & Subprocessor Management

Due diligence: We evaluate security posture and data handling before engagement.

Contracts: Data protection terms, confidentiality, and breach notification are required.

Monitoring: Subprocessors are reviewed periodically.

Typical categories: hosting and CDN, email/SMS/voice delivery, calendars/scheduling, analytics/tag management, AI/LLM processing, databases/CRMs. (A current list is available on request.)

8) Privacy & Data Protection

Roles: Synlixa is generally a processor/service provider for Customer Content and a controller for our website operations and account data.

Legal bases: Contract, legitimate interests, consent, and legal obligations (see Privacy Policy).

International transfers: Standard contractual mechanisms and provider safeguards where applicable.

Data subject rights: We honor access, correction, deletion, and portability requests as described in our Privacy Policy.

Children: Our Services are not for users under 16.

9) Messaging Compliance (Email/SMS/Voice)

A2P 10DLC & CTIA Brand/campaign registration, STOP/HELP support

TCPA/CAN-SPAM Honor opt-outs, sender identification

Do-Not-Call DNC scrubbing, local calling windows

Consent: Customers must obtain and document legally required consent before contacting end users.

Records: Opt-in/opt-out signals and campaign metadata are stored for auditing.

10) Responsible/Compliant AI Use

No training on your content without your explicit permission.
Guardrails: Language detection (e.g., EN/ES), barge-in support, unsafe-request refusal, and consent prompts where needed.
Human-in-the-loop: For high-impact workflows (e.g., scripted calling, large outreach changes), customers can require approval steps.
Evaluation: We monitor quality metrics (connect, reply, book, and show rates) to detect abnormal behavior.

11) Incident Response & Breach Notification

Plan: Documented incident response plan with defined roles (detection → triage → containment → eradication → recovery → lessons learned).

Logging & alerts: Centralized logs and security alerts for key systems.

Notification: We notify affected customers without undue delay and, where required by law (e.g., GDPR), aim to notify regulators/customers within 72 hours of confirming a notifiable breach.

12) Business Continuity & Disaster Recovery

Objectives: We design for resilience and aim for commercially reasonable RPO ≤ 24 hours and RTO ≤ 24 hours for core systems.

Testing: Backups and recovery procedures are reviewed and tested periodically.

Dependencies: We account for third-party outages and have fallback procedures where possible.

13) Data Retention & Deletion

(Aligned with our Terms of Service)

Leads/CRM objects: retained up to 24 months after last activity.
Transcripts & chat content: up to 6 months.
Call recordings (if enabled with disclosure): up to 30 days.
Operational/system logs: 90 days; analytics/metrics: 180 days.
Backups: rolling backups retained up to 35 days.
Deletion on request: Verified deletion requests honored within 72 hours, subject to legal holds and backup cycling.
Post-termination: Customer Content deleted or de-identified within 30 days; anonymized metrics may be retained.

14) Customer Controls & Best Practices

To help you stay compliant and secure with Synlixa:

Consent & lists: Maintain proof of consent; keep suppression/DNC lists current.
Quiet hours: Configure local-time windows for messaging/calls.
PII minimization: Only collect fields you actually use; avoid sensitive data.
Access hygiene: Use MFA, least privilege, and timely offboarding in your team.
Review outputs: Keep a human review for high-impact communications.
Monitor KPIs: Watch for anomalies in reply, positive, and booking rates.

15) Vulnerability Disclosure (Safe Harbor)

We appreciate coordinated vulnerability reports. If you believe you've found a security issue, email contact@synlixa.com with details (steps to reproduce, impact, proof-of-concept).

Do: Act in good faith, give us reasonable time to remediate, avoid data destruction/service disruption.

Don't: Access other users' data, pivot laterally, or run automated scans against production without permission.

We will acknowledge receipt, keep you updated, and credit contributors where appropriate.

16) Compliance Statements (Attestations)

We do not claim formal certifications (e.g., SOC 2, ISO 27001) on this page. Where relevant, we align our controls with common frameworks and may pursue attestations as we grow.

Regulatory cooperation: We cooperate with lawful requests and preserve data as required by law.

17) Updates to this Page

We may update this page to reflect changes to our controls or obligations. Material updates will be noted here and, where appropriate, communicated in-product or by email.

18) Contact

Security or compliance questions? Need a DPA or current subprocessor list?

Email contact@synlixa.com and include your organization name, requested documents, and a brief description of your use case.