Security Overview

Version 2.1  |  Last Updated: May 27, 2026  |  Synthfy LLC, Houston, TX

How Synthfy protects your data and ensures service reliability.

1. Data Encryption

• In transit: TLS 1.2/1.3 for all API communications, real-time secure streaming protocols, and data transfers
• At rest: AES-256 encryption for all stored data including call transcripts and user data
• OAuth tokens: AES-256-GCM with rotated encryption keys stored separately from application data
• Key management: Encryption keys are rotated regularly and stored separately from data

2. Infrastructure Security

• AI Voice Engine: Enterprise Serverless Cloud Infrastructure (US) — state-of-the-art secure streaming transit gateway; voice AI processed by Enterprise AI Cognitive Platform on Google Cloud Platform (high-performance multimodal speech processing pipeline, utilizing isolated secure project instances). Pre-warmed via 10-minute keep-alive cron to guarantee <2s call pickup.
• Dashboard & API: Railway (US) — secure serverless web application and encrypted relational database; auto-deploys from GitHub main branch
• Telephony: SignalWire — inbound/outbound calls and SMS
• DNS & Network: Cloudflare — DNS, DDoS protection, and edge security
• Monitoring: Automated health checks on 10-minute intervals

3. Application Security

• Authentication: NextAuth.js with secure session management; Google OAuth
• Passwords: bcrypt hashing, never stored in plaintext
• API Security: Rate limiting, input validation, CORS protection, HMAC-signed webhook verification between enterprise cloud environment and Railway
• CAPTCHA: Cloudflare Turnstile on signup to prevent bot account creation
• Dependencies: Regular updates and vulnerability scanning

4. Call Recording Security

• Call transcripts are encrypted immediately upon capture
• Access is restricted to the account owner only
• Automatic deletion after 90 days
• Mandatory AI and recording disclosure at the start of every call (two-party consent compliance)

5. Payment Security

Synthfy does not store credit card or bank account information. All payments are processed through PayPal, which maintains PCI-DSS Level 1 compliance.

6. Incident Response

• Detection: Automated monitoring and anomaly detection
• Containment: Immediate isolation of affected systems
• Notification: Customer notification within 72 hours of confirmed breach
• Remediation: Root cause analysis and prevention measures

7. Compliance Framework

Synthfy maintains compliance with: TCPA, CCPA, CAN-SPAM, state recording laws (including two-party consent states), California SB 1001 (Bot Disclosure Act), California SB 942 (AI Transparency Act), California AB 2905 (AI call disclosure), FTC Negative Option Rule, and California AB 2863 (Auto-Renewal Law).

Important: Synthfy is not HIPAA-certified and does not offer Business Associate Agreements (BAAs). Do not use Synthfy to process Protected Health Information (PHI). Synthfy is not SOC 2 certified.

8. Contact

• Security: [email protected]
• General: [email protected]