Vendor Due Diligence Vault
CCO Approval in Minutes,
Not Weeks
Everything your compliance officer needs to approve Synseus, pre-packaged and ready to download.
Data Architecture
What We Store vs. What We Don't
What Synseus stores
- Practice-level analytics data and assessment responses
- Aggregated and anonymized SEC/IAPD public regulatory data
- OAuth integration tokens (encrypted at rest, AES-256-GCM)
- Usage metrics and platform activity logs
- Subscription and billing records (via Stripe — no card data stored)
What Synseus does NOT store
- Individual client names, account numbers, or SSNs
- Client investment holdings or transaction history
- Client net worth or personal financial data
- Any data entered into a client-facing communication
Data retention: Trial data is deleted 30 days after trial expiry. Paid subscriber data is retained for the duration of the subscription plus 90 days after cancellation, then permanently deleted on request.
Encryption: All data in transit is protected by TLS 1.3. OAuth credentials are encrypted at rest using AES-256-GCM.
Zero-PII Architecture
Your Clients' Data Never Leaves Your Browser
Synseus is designed around practice-level intelligence, not client data. Our analytical engine works exclusively with:
- Public SEC/IAPD regulatory filings (6,680 pre-geocoded RIA firms)
- Practice metrics you choose to enter (AUM, revenue, team size)
- Anonymized benchmark cohort data derived from aggregate platform usage
Our Chrome extension includes a client-side PII scrubber that detects and redacts Social Security Numbers, account numbers, credit card numbers, email addresses, phone numbers, and dates of birth locally in the browser before any data is transmitted to Synseus servers. This is enforced at the code level — not a policy.
On-Premises Deployment
On-Premises Option for Data-Sensitive Firms
For firms with strict data residency requirements or enterprise compliance mandates, Synseus supports fully on-premises deployment via Ollama / Llama 3.1. Under this configuration:
- Zero data leaves your infrastructure
- All AI inference runs on your own servers
- No Anthropic API calls are made
- Full platform functionality is preserved
Contact [email protected] to discuss on-premises deployment and receive our on-premises setup guide.
SOC 2 Roadmap
SOC 2 Type II — In Progress
Synseus is currently pursuing SOC 2 Type II certification. Expected completion: Q4 2026.
Interim controls currently in place:
- Role-based access control (RBAC) across all platform data
- Admin action audit logging with IP and user agent capture
Regulation S-P
Regulation S-P — 72-Hour Incident Notification
Under the SEC's amended Regulation S-P (effective November 2024), covered institutions must notify affected individuals of a data breach within 30 days. As a technology vendor to RIAs, Synseus maintains an incident response plan aligned to these requirements.
Detection & Containment
Upon detecting a potential incident, our security team isolates affected systems within 4 hours and initiates a forensic review. All affected API keys and OAuth tokens are rotated immediately.
Customer Notification — Within 72 Hours
Affected firm administrators receive a direct email from [email protected] within 72 hours of confirmed breach, including: nature of the incident, data categories involved, immediate remediation steps taken, and recommended actions for the firm's CCO.
Regulatory Support & Post-Incident Report
Within 14 days, Synseus provides a full post-incident report suitable for inclusion in your firm's SEC examination file, including root cause analysis, remediation timeline, and a signed attestation of corrective controls.
Downloads
Due Diligence Package
Request any of the following documents via email. All documents are provided within one business day.
Security Overview
Architecture diagram, encryption standards, access controls, and penetration testing summary.
Data Processing Agreement
Pre-signed DPA covering data controller/processor obligations, subprocessor list, and GDPR/CCPA addenda.
SOC 2 Interim Documentation
Current control evidence, risk register, and interim security attestation while Type II audit is in progress.
Questions?
Our compliance team responds within one business day
Whether you need a custom questionnaire completed, a vendor risk assessment, or a live call with our security team — we're here.
[email protected]© 2026 Synseus, Inc. All rights reserved.