Security

Your financial data is a sensitive asset. At Synci, we build with a "Security-First" mindset, ensuring that every transaction, account identifier, and personal detail is protected by industry-standard encryption, modern authentication, and continuous security auditing.

Written By Matias

Last updated About 4 hours ago

Industry-standard data encryption

We employ rigorous encryption protocols to ensure that even in the unlikely event of unauthorized access to our database, your information remains unreadable and secure.

AES-256-CBC Encryption

Synci uses OpenSSL and the AES-256-CBC cipher (the same standard used by banks and government agencies) to encrypt most sensitive Personally Identifiable Information (PII) and credentials. This includes:

  • Bank Details: IBANs, BBANs, and account owner details.

  • Financial Data: Account balances and transaction amounts.

  • Access Credentials: API access tokens, refresh tokens, and internal account identifiers like MSISDN, provider IDs, and institution IDs.

Blind indexing for secure search

To maintain high performance without sacrificing security, we use "Blind Indexing." This technique allows our system to perform fast lookups (e.g., finding a specific bank account) using a secure cryptographic hash, without ever needing to store the searchable value in plain text or decrypting records unnecessarily.

Secure Open Banking connectivity (PSD2)

Synci does not use "screen scraping" or insecure methods to access your financial data. Instead, we use official, regulated Open Banking channels to ensure the highest level of security and reliability.

  • GoCardless integration: We partner with GoCardless, a leading and secure Open Banking provider, to facilitate all bank connections. You can read about GoCardless’ security here.

  • Official PSD2 APIs: Every connection is powered by the banks' very own PSD2-compliant APIs. This is the regulatory standard in Europe for secure and controlled financial data sharing.

  • No access to credentials: Synci never needs, wants, or handles your bank login credentials. When you connect an account, you are redirected to your bank's official website or app to authorize the connection. We only receive a secure, limited-access token to fetch your transaction history, ensuring your password never leaves your bank's secure environment.

  • Strictly read-only access: Synci's access is restricted to read-only permissions. We can only view your transaction history and balances; it is technically impossible for Synci to initiate payments, move money, or perform any actions on your bank accounts.

Multi-factor & biometric authentication

Securing your Synci account is a shared responsibility. We provide the tools you need to ensure only you can access your account and data.

  • Two-Factor Authentication (2FA): Protect your login with time-based one-time passwords (TOTP) from apps like Apple Password, Authy, Bitwarden or 1Password.

  • Passkeys Support: Synci supports modern Passkeys, allowing you to sign in using biometrics (FaceID, TouchID) or hardware security keys (like YubiKeys). This provides the highest level of protection against phishing and credential theft.

Infrastructure & hosting

Our physical and cloud infrastructure is designed to meet strict European data protection standards.

  • European hosting: Our servers and databases are located in the Netherlands.

  • End-to-End HTTPS: Synci utilizes the secure HTTPS protocol for all external and internal communication. All data is encrypted in transit using industry-standard TLS protocols.

  • Managed databases: We use managed database services that are encrypted at rest and in transit. This means your data is protected while it's sitting on a disk and while it's moving between our servers.

  • Strict privacy: Your data is never shared with undisclosed third parties. Synci only communicates with the specific financial institutions, destinations, and AI provider(s) that you explicitly authorize.

Continuous security auditing

Security isn't a "one-time" setup; it's a continuous process of improvement and monitoring.

  • Aikido Security Monitoring: We use Aikido as a comprehensive security tool to continuously scan our codebase, repositories, and API endpoints for vulnerabilities and security risks.

  • Automated Scans: Every update to our platform is automatically scanned for dependency risks, misconfigurations, and common web vulnerabilities. This includes periodic scans of our frontend/dashboard and backend APIs.

Frontend & browser protection

We implement a rigid Content Security Policy (CSP) to protect your session while you use the Synci dashboard.

  • XSS Prevention: Our CSP strictly limits where scripts, styles, and images can be loaded from. By using per-request "nonces" (unique identifiers for scripts), we effectively block malicious "Cross-Site Scripting" (XSS) attacks.

  • No Unsafe-Inlines: We disallow unsafe inline scripts, ensuring that only trusted Synci code runs in your browser.

  • Anti-Clickjacking: We use frame-ancestors directives to prevent the Synci dashboard from being embedded in malicious third-party websites.

Data retention & transparency

We believe you should have full control over how long your data lives in our system.

  • Retention Policy: Synci follows a strict data retention policy. By default, most transaction data is retained for only 30 days before being purged from our primary systems. You can read our full Data Retention Policy here: Data retention

  • Right to Delete: If you choose to close your Synci account or disconnect a bank, we ensure that your sensitive credentials and synced identifiers are promptly and securely removed from our databases.

Pro Tip: Check Your Logs

For maximum transparency, Synci provides detailed Rule logs and Transfer logs in your dashboard. You can audit every action Synci takes on your data in real-time, giving you total visibility into your financial automation.