Security & Privacy

How we protect
your data.

Honest claims only. What we have today. What we're building. What we'll never do.

OUR PROMISE

Three things we will never do.

  • We don't sell your data — ever. Not aggregate. Not anonymized. Not in any form. Operators pay us for the analysis; that's the only relationship.
  • We don't train our shared AI on your data. Your data trains a model for you only. Cross-customer pattern detection (if you opt in) uses anonymized statistical signals — never raw records.
  • We don't run on ads or sponsored data. No vendor pays to be recommended in your Brief. No partner gets favorable treatment. The recommendations are based on what we read, not who pays.
DATA HANDLING

Where your data lives, how it moves.

Your operational data (POS, reservations, reviews, accounting) is read on a scheduled cadence — usually every 5-15 minutes — into our analysis engine. We store only what we need to write tomorrow's Brief; raw transaction-level data is retained for 90 days then summarized.

  • Encryption in transit: TLS 1.3 minimum on all connections (you to us, us to integrations).
  • Encryption at rest: AES-256 on all customer data in our database and backups.
  • Hosted on: Cloudflare (edge + Pages) and our analysis engine on dedicated tenant-isolated infrastructure.
  • Backups: Daily encrypted snapshots, 30-day retention.
  • Multi-region: Data residency options for Canadian and EU customers on request.
ACCESS CONTROL

Who can see what.

  • Role-based access: Owners see everything. GMs see operational data. Department heads see their slice. Configured per-customer during onboarding.
  • SSO support: SAML / OIDC for enterprise customers (Okta, Azure AD, Google Workspace).
  • 2FA required: Two-factor authentication mandatory on all admin accounts.
  • Audit log: Every access, every export, every config change logged for 12 months.
  • Internal access: Syphor employees only access customer data with explicit consent for support cases. All access logged.
COMPLIANCE ROADMAP

Where we are. Where we're going.

Compliance certifications cost real money and take real time. Here's exactly where each one stands — no pretending we're somewhere we're not.

SOC 2 TYPE I IN PROGRESS
Vanta-managed, targeting month 6. Demonstrates we have controls designed correctly.
SOC 2 TYPE II PLANNED · MONTH 12
Demonstrates controls operating effectively over a 6-month window. Required for enterprise hospitality group sales.
GDPR CONFORMS
EU data residency on request, data subject rights honored, retention policies aligned with GDPR Article 5.
PCI DSS N/A · WE DON'T TOUCH CARDS
We read POS data but never card numbers. PCI compliance lives with your POS provider, not us.
INCIDENT RESPONSE

If something goes wrong.

  • Detection: Automated monitoring on our infrastructure with alerts to founding team.
  • Notification: Affected customers notified within 24 hours of confirmed incident. Public status page (planned: status.syphor.com) shows real-time service health.
  • Post-mortem: Within 5 business days of incident resolution, customers receive a written post-mortem covering what happened, what we did, what we changed.
  • Founder accountability: Critical incidents (data exposure, prolonged outage) get a phone call from a founder, not an email.
HONEST ACKNOWLEDGMENT

We're early. The full enterprise security posture (SOC 2 Type II, ISO 27001, FedRAMP) takes years to build properly. We're building it the right way, on a real timeline, with Vanta managing the controls and a real auditor on the other side. We will never pretend to have certifications we don't have. If a buyer needs a control we don't yet operate, we'll tell them — and we'll commit to a date.

Security questionnaire? Send it through our security contact form. We answer in days, not weeks.