Security at Zyncro

We take security seriously. Your data is protected by industry-standard practices and enterprise-grade infrastructure.

How We Protect Your Data

Encryption at Rest & in Transit

All data is encrypted using AES-256 at rest and TLS 1.3 in transit. OAuth refresh tokens (Google, Zoom, Microsoft) are encrypted before storage — never stored in plaintext.

Native OAuth Integration Security

Calendar and video integrations (Google, Zoom, Microsoft Teams) use OAuth 2.0. Zyncro stores only encrypted refresh tokens — never your passwords. You can revoke access anytime from your integrations dashboard.

SSO & 2FA Support

Enterprise-grade authentication with Google/GitHub Single Sign-On and TOTP Two-Factor Authentication (compatible with Google Authenticator and Microsoft Authenticator).

Secure Infrastructure

Hosted on private secure cloud servers with proactive firewall and DDoS protection. Global CDN is used for optimized performance. Database communications encrypted via TLS.

Zero-Touch Payment Architecture

In Direct API mode, Zyncro routes payment data to the host's gateway without storing card details. For Zyncro-managed payouts, bank details are AES-256 encrypted and verified via AML-compliant manual review before any transfer.

Digital Integrity Seal

Every invoice contains a unique SHA-256 hash and UTC timestamp, making it legally valid under the Information Technology Act, 2000 and eligible for GST input credit.

XSS & Input Security

All user input is multi-layer sanitized using DOMPurify to prevent XSS attacks. CSRF protection is enforced on all state-changing endpoints via cryptographic tokens.

GDPR Compliant

Full right to erasure — account deletion wipes all personal data instantly. No ghost copies retained. Integrations can be independently revoked without deleting the account.

Certifications & Compliance

SOC 2 Aligned
In Progress
GDPR Compliant
Active
ISO 27001
Planned
HIPAA
Planned

Data Practices

9. Data Security

All OAuth tokens and sensitive credentials are encrypted at rest using AES-256 and in transit via TLS 1.3. Our infrastructure is hosted on private, hardened secure cloud servers with dedicated security monitoring. We conduct regular security reviews and operate under GDPR-aligned data practices.

Data Retention & Hard Delete

We believe you own your data. When you choose to delete your account from the Dashboard → Settings → Danger Zone, Zyncro performs a Hard Delete. All your personal data, including profile information, bookings, and encrypted integration tokens, are permanently wiped from our secure production servers and databases instantly. This action is irreversible, and data cannot be recovered once deleted.

Third-Party Access

We only share data with third parties when necessary to provide our services (e.g., payment processors). We never sell your data to advertisers.

Incident Response

We have a comprehensive incident response plan. In the event of a security breach, affected users will be notified within 72 hours as required by GDPR.

Report a Vulnerability

Found a security issue? We appreciate responsible disclosure. Please report vulnerabilities to our security team.

[email protected]