Synq is a cloud application hosted with Google Cloud in Europe, provided to customers as a software as a service.
Synq is designed and operated with security at the top of mind and operates under the shared responsibility security model. Customer is responsible for security within the context of its use of Synq service, Synq is responsible for the security of the Synq service and shares responsibility with its cloud provider.
Synq high-level architecture
Data access level
Synq doesn’t access record-level data in the customer’s data platforms and operates strictly by querying metadata or aggregated metrics.
For the purpose of provisioning data reliability services, the Synq platform operates on multiple levels of access depending on functionality relevant to the customer’s use case:
- Access to log-level information for relevant data tools such as dbt, data warehouse, data orchestrators, and BI tools to provide data observability functionality such as parsing information about the execution of data transformation, lineage, logs, and alerting
- Access to information_schema in the data warehouse to understand freshness and volume of data across tables in the data warehouse to provide automated data anomaly detection
- Access to query aggregated metrics (count, sum, min, max, or similar) in selected tables if the customer wishes to deploy custom monitors to detect data anomalies across key segments of the customer’s data
- Access to code repository (Github, BitBucket, GitLab) to connect source code with data assets and facilitate data diagnostics workflows
Data Storage and Processing Locations
Synq consists of two components. A processing layer and a storage layer.
- Synq uses ClickHouse for data processing in EU-based locations.
- Synq uses Google Cloud Platform for storage with data stored in Europe.
Synq utilises Google Cloud to take advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to protect its information, identities, applications, and devices. We use Google Cloud Armor as a network security service and Google Cloud Monitoring to monitor the performance, availability, and health of the Synq applications and infrastructure.
Authentication and Authorization
Access to the application is secured by Auth0. Currently, we support two authentication modes: unique username/password pair generated for user or social login via Google Workspace.
Synq enables SSO via Google Workspace (but can add further apps based on requirements).
Synq is based on role-based access authorization and supports two user profiles – an administrator and an analyst.
Synq protects individual systems or information by means of cryptographic controls. All data in transit and at rest is encrypted by default.
- All data stored in Google Cloud is encrypted at the storage level using AES256. Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key.
- Data in transit between end users’ browsers and Synq Google Cloud cluster is encrypted with SSL with automatic certificate rotation managed by Google Cloud.
- ClickHouse encrypts information in transit by supporting TLS 1.2 and 1.3 when interacting with ClickHouse Cloud over the public internet.
- Data at rest is also encrypted using AES-256 encryption applied to AWS S3 buckets.
Synq provides implementing instructions for security incident response, to include definitions, procedures, responsibilities, and performance measures (metrics and reporting mechanisms).
Business Continuity and Disaster Recovery
Business processes supported by the system are identified, and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime.
Synq maintains a status page to provide real-time updates and inform customers of the status of each service. The status page is updated with details about an event that may cause service interruption / downtime. Synq’s status page: https://getsynq.statuspage.io
Data Retention Policy
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 28 calendar days. After this period, the account and related data will be removed.
Report a vulnerability
If you believe you have found a security vulnerability on Synq, please let us know straight away. We will investigate all reports and do our best to fix valid issues quickly.
You can submit your report to our security team at firstname.lastname@example.org. We will respond as soon as possible.