Security · v1.0 · Last reviewed 2026-05-13
Built for auditors. Not the other way around.
SynOI sits in front of your AI traffic. We took that responsibility seriously. Every guarantee below is enforced in code and verified in CI. We list what we have today, what's coming, and what we explicitly chose not to do.
CSA STAR for AI alignment. ISO/IEC 42001, ISO/IEC 27001, and SOC 2 Type II on the path. Full alignment matrix →
What's signed, by what, against what
Cryptographic guarantees
Hybrid-signed (Ed25519 + ML-DSA-65) Decision Receipts
Every gateway action mints a signed audit record. Receipt body = canonical JSON of receipt_id, tenant_id, decision, action_class, risk_level, oid_hex, recorded_at. Signature is over the byte-exact canonical form.
Public verification surface
Receipts verify at verify.synoi.systems/<id> using the published Ed25519 public key. Anyone (auditors, compliance, your customer) can verify a receipt with no SynOI dependency. Offline. With any Ed25519 library.
HMAC-SHA256 on inbound webhooks
Every webhook signature is verified before any action is taken. 5-minute anti-replay timestamp window. Twilio, Slack, Paddle: all verified, all constant-time-compared.
Constant-time auth comparisons
Admin tokens + signature equality use crypto.timingSafeEqual. No timing-attack vector on any auth path.
What we never store
Credential handling
BYO-keys with no-persistence invariant
When a customer's upstream LLM key flows through us via X-Provider-Key, it is forwarded to upstream and never written to any database. This is enforced by an automated DB-scan test in CI that runs every release. We literally cannot leak what we never stored.
Hashed-only license storage
License keys live in the control plane as SHA-256 hashes. A leaked KV dump cannot be used to validate. We hand out raw keys exactly once at issuance and never re-issue.
No secrets in logs
Verified by the BYO-key test suite, which greps captured stdout/stderr for any fragment of test credentials. Asserted in CI.
Multi-tenant by design
Isolation & access control
Database isolation via composite primary keys
Composite (tenant_id, oid) primary keys throughout cache, embeddings, and receipts tables. Tenant A literally cannot read tenant B's data: the query won't match.
HTTP-only session cookies, SameSite=Lax
Portal sessions stored in HTTP-only cookies. No client-side script can read them.
JWT cross-type rejection
Magic-link tokens cannot be replayed as session tokens. Different "type" claim verified separately. Auth round-trip is asserted in CI.
Admin endpoints are server-side only
Portal makes all admin calls server-side. Admin keys never ship to the browser.
Approval gates that work
Governance & HITL safety
Hosted-mode OAuth lockdown
Setting SYNOI_HOSTED_MODE=1 automatically refuses Anthropic OAuth subscription tokens, preventing ToS violations. Belt-and-braces: a shared deployment cannot accidentally proxy what it shouldn't.
Per-tenant risk policy engine
Allow / deny / require-approval rules. Evaluated at ~1ms per call. Matchers cover tool name, tool input fields, complexity tier, model, user message.
Multi-surface HITL
Dangerous tool actions can require human approval before running. Five surfaces: desktop, Slack, SMS, email (coming), mobile (coming). All signed.
Egress journal + PII suppressor
Redact patterns before LLM calls. Redactions logged for audit. No surprise data exfiltration to upstream.
What we run every day
Operational security
Configurable retention + cleanup
Receipts default 365 days, cache 30 days, embeddings 90 days, with LRU eviction on size caps. Auditors get a windowed view by design.
Anti-relay-aware proxy
Byte-identical forwarding when needed. Body-mutating features auto-disable for OAuth tokens. We follow each provider's rules.
Rate limiting
Per-tenant + per-sender on webhooks. Resource exhaustion attacks have a budget.
XSS-safe verification page
Hostile action_desc is escaped. The receipt page can be shared safely; auditors won't catch a script.
On the roadmap
What's next, and when
SOC 2 Type II audit
In progress, ~Q1 2027
HIPAA BAA template
With SOC 2
SSO / SAML (Okta, Azure AD, Google)
With Enterprise tier
KMS-backed signing keys (AWS KMS)
Q3 2026
Portal 2FA
Q3 2026
Post-quantum key rotation tooling
Planned; hybrid Ed25519 + ML-DSA-65 signing already shipped
security.txt + HackerOne
With SOC 2 prep
GDPR data-residency controls
With Enterprise tier
ISO 27001
Following SOC 2 Type II
Honesty by absence
What we don't do
• We do not store your LLM API keys. The X-Provider-Key header is read once, used once, dropped. Asserted by DB scan in CI.
• We do not train on your prompts or outputs. We don't collect them for training period.
• We do not proxy training data: only inference traffic.
• We do not run user code in our infrastructure. Customers deploy the gateway themselves; we host only the license control plane.
• We do not have access to your model providers' data without your credential.
• We do not silently downgrade requests. Routing decisions are visible in every receipt.
What we cover · what we don't
SynOI governs AI execution.
Not endpoint protection. Not a package scanner. Not a firewall.
We sign every AI-driven action: every LLM call, every tool dispatch the agent attempts, every approval routed to a human. That's the surface area. Threats outside it need the right defense, and we'll tell you what.
AI tool execution
Every tool call your agent attempts goes through risk policy + optional HITL. Signed receipts. Multi-surface approval.
LLM proxy + audit
Every prompt and response flowing through Claude/OpenAI/Groq is receipted with provenance. BYO keys never persist.
CI/CD governance
Receipt every Terraform apply, every deploy. HITL on production releases via mobile, Slack, or SMS.
Egress to LLMs
PII suppressor + egress journal redact patterns before they leave for an LLM provider. Audit what flowed where.
Package supply-chain (npm / PyPI worms, Mini Shai-Hulud class)
Today, this is Socket.dev / Snyk / Aikido territory: they scan packages, we don't. Where we're going: SRAID's state-rich object model is a natural fit for divergence-style detection. See the Supply Chain Guard roadmap card.
Endpoint protection (workstation / server malware)
EDR products (CrowdStrike, SentinelOne) cover this. Out of scope for SynOI.
Network firewall / DNS
Network-layer exfiltration detection lives at the firewall / DNS / mesh layer. Adjacent product (Network Enforcement, roadmap).
Vulnerability scanning
CVE feeds + GHSA + dependency-CVE matching is npm audit / Snyk territory. We can ingest their findings; we don't replace them.
Pair SynOI with the rest of your security stack.
A complete posture has package scanning (Socket / Aikido / Snyk), endpoint protection (CrowdStrike), a network firewall, and AI governance (SynOI). We don't replace those tools; we sign every AI-driven action so the AI tier doesn't become your weakest link.
Security review questions?
We answer security questionnaires directly, no NDA gate, no sales detour. Use the contact form with your spec and we'll send a filled-in version back.