Security Practices

Encryption in Transit

All communication between your device and Syncra infrastructure is encrypted using TLS 1.0+ with TLS 1.3 support (Google Cloud managed). This includes:

• •Login credentials and authentication tokens
• •Post content, drafts, and media uploads
• •OAuth tokens and social media credentials
• •API requests and responses (web and mobile)
• •All form submissions and user interactions

Note: We enforce HTTPS for all connections. Modern browsers show a secure padlock icon when connected to Syncra. We automatically redirect insecure HTTP connections to HTTPS.

Encryption at Rest

Data stored in our systems is encrypted at rest using industry-standard algorithms:

• •Passwords: Hashed using bcrypt with strong salt, not stored in plaintext
• •OAuth Tokens: Encrypted with AES-256-GCM before storage
• •API Keys: Encrypted and stored securely with audit logging
• •Payment Information: Not stored; processed through PCI-DSS compliant providers only
• •Database encryption: Cloud SQL provides transparent disk encryption (Google Cloud managed) and application-level AES-256-GCM encryption for sensitive tokens

Key Management

Encryption keys are managed securely with restricted access:

• •Automatic key rotation policies implemented quarterly
• •Access to keys restricted to essential infrastructure personnel only
• •All key operations logged and monitored for suspicious activity

User Authentication

Syncra uses Auth0 for secure, standards-compliant authentication:

• •Password hashing: User passwords are never stored or transmitted to Syncra; Auth0 handles all password verification
• •Session management: Secure, httpOnly cookies with short expiration times
• •OAuth 2.0/OIDC: Standards-compliant protocols for secure token exchange
• •Account recovery: Secure email-based recovery with time-limited tokens

Authorization & Access Control

Workspace-based access control ensures users access only what they need:

• •Owner: Full workspace control, billing, and user management
• •Admin: Manage billing, members, workspace settings, and connected accounts
• •Approver: Review submissions, approve content, and schedule approved posts
• •Creator: Draft and edit content, then submit it for approval
• •Viewer: Read-only access to workspace content and analytics
• •Workspace isolation: Users cannot access workspaces they don't belong to

Session Security

Sessions are protected with multiple security measures:

• •Automatic timeout after 30 minutes of inactivity
• •Session data stored server-side, not in cookies
• •CSRF tokens required for all state-changing requests
• •Session invalidation on suspicious activity or logout

Continuous Monitoring

Syncra infrastructure is continuously monitored for security threats:

• •Real-time alerts: Security team receives immediate notifications of suspicious activity
• •Intrusion detection system (IDS): Network traffic analyzed for attack patterns
• •Endpoint detection: Server logs analyzed for anomalies and unauthorized activities
• •Performance monitoring: Automated detection of resource anomalies that may indicate attacks

Audit Logging

Comprehensive logging enables security investigations and compliance:

• •Authentication events: All login attempts, MFA challenges, and session creation/termination
• •Data access: When users view, download, or export content
• •Administrative actions: User management, permission changes, settings modifications
• •API access: All API calls with user, endpoint, and action details
• •Security events: Failed authentication, rate limit violations, suspicious patterns

Log Security

Logs are protected to prevent tampering:

• •Logs stored in write-once, read-many (WORM) storage
• •Cryptographic signatures prevent undetected modification
• •Replicated to geographically separate systems for backup
• •Access to logs restricted and monitored

OAuth 2.0 Implementation

Syncra uses OAuth 2.0 to securely connect to social media platforms:

• •Authorization code flow: Most secure OAuth flow, never exposes tokens to browser
• •Scope limitation: We request only the minimum permissions needed (publish posts, read analytics)
• •Token encryption: Tokens encrypted before storage and in transit
• •Refresh token security: Automatic rotation of refresh tokens with revocation tracking
• •State parameter: CSRF protection during OAuth redirect flow

Social Platform Security

We maintain secure relationships with all connected platforms:

• •Official APIs only: We use only official, documented platform APIs
• •Compliance: All usage complies with each platform's terms of service
• •Rate limiting: Respecting platform rate limits prevents account suspension
• •Token validation: Automatic detection and handling of revoked or expired tokens

Third-Party Vendor Assessment

All vendors and integrations are assessed for security:

• •Security questionnaires and SOC 2 reports required for critical vendors
• •Data processing agreements with encryption and confidentiality requirements
• •Regular security reviews and updates to vendor status

Incident Response Plan

We maintain operational runbooks for infrastructure incidents with structured logging and Cloud Logging integration:

• •Detection: Automated alerts and manual reviews identify security incidents
• •Response: Incident response team assembles and begins containment immediately
• •Investigation: Forensic analysis determines scope and impact
• •Remediation: Systems are patched, secured, and restored
• •Review: Post-incident review identifies root causes and preventative measures

Breach Notification

In the unlikely event of a data breach, we follow strict notification procedures:

• •Notification timeline: Affected customers notified without undue delay (within six hours)
• •Transparency: Clear information about what data was involved and impact assessment
• •Support: Complimentary credit monitoring or security remediation services offered
• •Regulatory compliance: Notifications to regulators as required by law (GDPR, CCPA, etc.)

Business Continuity

Our incident response plan includes business continuity measures to restore service during major incidents. Recovery time objectives (RTO) and recovery point objectives (RPO) vary by incident type but prioritize customer service restoration.

Password Security

Protect your Syncra account with a strong password:

• •Use a unique password not used on other services
• •Minimum 16 characters including uppercase, lowercase, numbers, and symbols
• •Never share your password with colleagues or support staff
• •Use a password manager to securely store complex passwords
• •Change your password if you suspect it has been compromised

Account Access Management

Manage who has access to your Syncra workspace:

• •Review team members regularly and remove users who no longer need access
• •Use role-based permissions to grant minimal necessary access
• •Immediately revoke access when employees leave
• •Use workspace audit logs to monitor account activity

Social Media Account Security

Secure the social media accounts connected to Syncra:

• •Use strong, unique passwords for each social platform account
• •Enable two-factor authentication on social platform accounts
• •Review connected apps regularly and revoke access to unused applications
• •Immediately disconnect Syncra if you suspect your social account is compromised

Phishing & Social Engineering

Be cautious of phishing attempts targeting Syncra credentials. Syncra employees will never ask you to provide passwords or OAuth tokens via email. Verify suspicious emails by contacting support directly.