Syro

Security at Syro

At Syro, we take the responsibility of managing our clients' infrastructure seriously, as we recognize the trust they put in us. We uphold high standards of security, not only for our technology solutions but also in our daily operational procedures and access controls. Our team continually improves our security so you can use Syro with confidence.

Organizational Security

Robust Unit Testing: Syro prioritizes rigorous unit testing at each step of the development process.This commitment enhances code stability, aids in early error detection, and fosters the creation of dependable and efficient software products.
Secure Development Lifecycle (SDLC): Syro integrates security throughout the software development lifecycle, from design and coding to testing and maintenance, to deliver secure and reliable software products.
Third-Party Penetration Testing: Syro engages independent third-party services to conduct penetration testing, which evaluates our security and compliance measures on a routine basis.
Confidentiality: Before their first day of work, every team member must sign an industry standard confidentiality agreement and commit to following its terms.
Security Awareness Training: All employees at Syro undergo security awareness training within thirty (30) days of onboarding and at least annually thereafter.
Product Access Control: Syro grants a select group of employees regulated access to products. This safeguards security protocols, enables swift response to potential incidents, and supports efficient problem resolution and customer service. Multi-factor authentication (MFA) is also an important part of our layered defense to protect access control systems.

Cloud Infrastructure Security

Cloud Infrastructure Security: Syro utilizes Amazon Web Services(AWS) as its cloud platform, benefiting from AWS's stringent security measures and compliance norms pertaining to physical data center protection and cloud system reliability. Details of AWS Cloud Security can be found here.
Encryption in Transit: Your secrets are end-to-end symmetrically encrypted using 256-bit AES encryption in Galois/Counter Mode. Syro supports encryption in transit using Transport Layer Security. All network traffic to/from our servers is protected by TLS v1.2.
Encryption at Rest: Your secrets are encrypted at rest with 256 - bit AES encryption in Cipher Block Chaining mode via OpenSSL.
Data Hosting: Your data is hosted on Amazon Web Services(AWS), which handles physical security to data centers.These data centers are located in the United States.
Security Awareness Training: All employees at Syro undergo security awareness training within thirty(30) days of onboarding and at least annually thereafter.
Threat and Vulnerability Scanning: Syro utilizes multiple monitoring and threat detection systems to identify and alert on incidents.
Email Protection: We have DMARC, DKIM and SPF records in place, targeting syro.com, in order to prevent email spoofing.
Logging and Monitoring: Syro utilizes a Security Information and Event Management (SIEM) solution to process and manage logs from critical systems.This tool enables comprehensive logging and alert capabilities, ensuring prompt notification of security events as they occur.These logs also aid in troubleshooting and support tasks.Access to these logs is strictly controlled.
Backups: Your data is encrypted and backed up by MongoDB Atlas. Syro backs up your data hourly with a retention time of a week. Syro also performs weekly backups with a retention time of 2 months. Our backups are isolated from our system because they are performed by mongoDB. They are stored in the same datacenter as our server instance.

Assurance of Authorized Access

IP Address Whitelisting: Syro supports IP address whitelisting, allowing companies to specify trusted IP addresses for enhanced security. This feature restricts system access to only those users operating from the approved IP addresses, reducing potential unauthorized access.
Role-Based Access Control: Syro implements Role-Based Access Control (RBAC), ensuring that access to sensitive data and operations is restricted to designated roles within a company. This systematic approach strengthens security by limiting data access to only those individuals who need it to perform their tasks.
Complex Password Requirement: Syro mandates the use of complex passwords in accordance with the guidelines in our password policy, reinforcing the security of user accounts. This requirement minimizes the risk of unauthorized access by increasing the difficulty of password guessing or cracking.
Activity and Access Logs: Within Syro, companies have the ability to maintain comprehensive access logs, which detail who accesses what within their organization. These logs add an additional layer of visibility, providing transparency and control over data access. This feature allows companies to quickly identify and address any unauthorized or suspicious activity.
Managing Project Access: Project or organization owners have the ability to see an overview of all users with access to their projects. They can modify user settings and have access to additional management tools.

Compliance

Syro has procured certifications from independent third-party auditors in line with the American Institute of Certified Public Accountants' (AICPA) Service Organization Control (SOC) standards: SOC2 Type 1 and ISO 27001*

SOC2 Type I and Type II (in progress): This is an audit conducted by an independent third party, certified by the American Institute of Certified Public Accountants (AICPA). It examines a service organization's compliance with Trust Services Criteria (TSC) controls. The SOC 2 Type I and Type II report evaluates the effectiveness of these controls at a discrete point in time and over time, offering customers and stakeholders confidence that the organization has robust controls in place to safeguard their data.
ISO 27001 (in progress): This international standard sets the benchmark for information security management.It defines the framework for creating, implementing, managing, and enhancing an Information Security Management System(ISMS).Designed to help organizations employ a risk management approach, this standard ensures the protection and secure management of sensitive data.

Report an Issue

If you believe you’ve discovered a bug in Syro’s security, please contact us at security@syro.com and we will get back to you within 24 hours or sooner. Our PGP key is available below in case you need to encrypt your communications with our team. We kindly request that you not publicly disclose the issue until we have had the chance to address it.