ContextSynth

Security

How we protect your data with enterprise-grade security measures

Security First

ContextSynth is built with security as a core principle, not an afterthought. Every layer of our stack implements defense-in-depth security controls.

🔐 Encryption

Data at Rest

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Management: Tenant-specific Data Encryption Keys (DEKs)
  • Key Wrapping: DEKs encrypted with master Key Encryption Key (KEK)
  • Scope: All customer profiles and raw data encrypted before storage

Technical Details: Each tenant has a unique 256-bit DEK generated using cryptographically secure random number generation. DEKs are wrapped (encrypted) using a master KEK and stored separately from the data. This ensures tenant isolation even if the database is compromised.

Data in Transit

  • Protocol: TLS 1.3 for all API communications
  • Certificate: Industry-standard SSL/TLS certificates
  • HSTS: HTTP Strict Transport Security enforced
  • No fallback: Unencrypted connections rejected

🛡️ PII Protection

Before sending any data to AI models, we automatically redact personally identifiable information:

  • Email addresses: Detected and redacted
  • Phone numbers: Detected and redacted (international formats)
  • Credit card numbers: Detected and redacted
  • IP addresses: Detected and redacted

Zero Data Retention: We use OpenAI/Azure OpenAI with zero data retention agreements. Your data is NOT used to train AI models.

🔑 Authentication & Authorization

API Key Authentication

  • Bcrypt hashed keys (work factor 12)
  • Keys never stored in plaintext
  • Prefix-based key identification
  • Revocation support

Session Authentication

  • JWT tokens with HS256 algorithm
  • HttpOnly, Secure cookies
  • 30-day expiration
  • Passwordless email codes

Passwordless by Design: We use email-based verification codes instead of passwords, eliminating risks of password reuse, weak passwords, and credential stuffing attacks.

⚡ Rate Limiting & Abuse Prevention

  • Per-tenant rate limits: Tier-based request throttling
  • Distributed enforcement: Rate limits enforced at application level
  • Graceful degradation: 429 responses with retry-after headers
  • Anomaly detection: Unusual patterns flagged for review

📊 Audit Logging

All LLM API calls are logged for security auditing:

  • What we log: Timestamp, tenant ID, operation type, token counts, latency
  • What we DON'T log: Customer data content, query text, or PII
  • Retention: 90 days
  • Purpose: Security monitoring, fraud detection, compliance

🏢 Infrastructure Security

Hosting

  • Provider: Render.com (SOC 2 Type II certified)
  • Regions: EU (Frankfurt) and US (Oregon) available
  • Database: PostgreSQL with automated backups
  • Network: Private networking for internal services

Application Security

  • CORS: Configured allowed origins
  • CSP: Content Security Policy headers
  • Input validation: Zod schema validation on all endpoints
  • SQL injection: Parameterized queries via Drizzle ORM
  • Dependency scanning: Automated vulnerability checks

🔄 Backup & Disaster Recovery

  • Database backups: Automated daily backups with point-in-time recovery
  • Retention: 7-day backup retention
  • Encryption: Backups encrypted at rest
  • RTO/RPO: 4-hour recovery time, 24-hour data loss maximum

🔍 Vulnerability Management

  • Dependency updates: Regular security patches
  • Monitoring: Automated vulnerability scanning
  • Incident response: 24-hour SLA for critical vulnerabilities
  • Disclosure: Responsible disclosure program

Report a Vulnerability: Email security@contextsynth.com. We respond within 24 hours and provide bounties for valid reports.

📜 Compliance

GDPR

Full compliance with General Data Protection Regulation

  • Data subject rights
  • Breach notification
  • Data portability
  • Right to erasure

SOC 2

Infrastructure providers are SOC 2 Type II certified

  • Security controls
  • Availability
  • Confidentiality
  • Annual audits

👥 Data Isolation

Each tenant's data is cryptographically isolated:

  • Tenant-specific DEKs: Your data can only be decrypted with your key
  • Database isolation: Tenant ID enforced on all queries
  • API isolation: API keys scoped to single tenant
  • No cross-tenant access: Architecture prevents data leakage

🔄 Security Roadmap

Upcoming security enhancements:

  • Hardware Security Module (HSM) integration for key management
  • Customer-managed encryption keys (CMEK)
  • Advanced threat detection with SIEM integration
  • ISO 27001 certification
  • Penetration testing program

📞 Security Contact

For security concerns or to report vulnerabilities:

Email: security@contextsynth.com

We take security seriously. All reports are investigated promptly and handled with confidentiality.

Related: Privacy Policy | Terms of Service