SYNQ Security Policy
Summary
Synq is a cloud application hosted with Google Cloud in Europe, provided to customers as a software as a service.
Synq is designed and operated with security at the top of mind and operates under the shared responsibility security model. Customer is responsible for security within the context of its use of Synq service, Synq is responsible for the security of the Synq service and shares responsibility with its cloud provider.
Synq high-level architecture
Data access level
Synq provides rich data monitoring and testing functionality which requires configurable levels of access to customer data depending on the use case. See below:
- [Minimal] access to logs for relevant data tools such as dbt, data warehouse, data orchestrators, and BI tools to provide data observability functionality such as parsing information about the execution of data transformation, lineage, logs, and alerting
- [Recommended] access to
information_schema
in the data warehouse to understand freshness and volume of data across tables in the data warehouse to provide automated data anomaly detection - [Recommended] access to query logs to allow Synq process query logs and expose additional functionality such as advanced lineage parsing, monitors automation or query analytics
- [Recommended] access to code repository (Github, BitBucket, GitLab) to connect source code with data assets and facilitate data diagnostics workflows
- [Where necessary] Access to relevant datasets to calculate aggregated metrics (count, sum, min, max, or similar) in selected tables if the customer wishes to deploy custom monitors to detect data anomalies across key segments of the customer’s data
- [Where necessary] Access to relevant datasets to execute SQL tests. Synq by default executes all testing expression wrapped in
count(*)
query, which means only number of failures is processed and stored by Synq. The only exception are tests with configuration optionsaveFailures=true
, in which case failed row-level records are processed by Synq in transit and in memory for the purpose of writing logs to audit tables in the customer data platform. No data is persisted in Synq.
We strongly recommend customers not to give broad data access to Synq (and over-provision permissions) but rather configure the minimal data access necessary to allow Synq to deploy required level of monitoring and tests.
Data Storage and Processing Locations
Synq consists of two components. A processing layer and a storage layer.
- Synq uses ClickHouse for data processing in EU-based locations.
- Synq uses Google Cloud Platform for storage with data stored in Europe.
Cloud Security
Synq utilises Google Cloud to take advantage of the same secure-by-design infrastructure, built-in protection, and global network that Google uses to protect its information, identities, applications, and devices. We use Google Cloud Armor as a network security service and Google Cloud Monitoring to monitor the performance, availability, and health of the Synq applications and infrastructure.
Authentication and Authorization
Access to the application is secured by Auth0. Currently, we support two authentication modes: unique username/password pair generated for user or social login via Google Workspace.
Synq enables SSO via Google Workspace (but can add further apps based on requirements).
Synq is based on role-based access authorization and supports two user profiles – an administrator and an analyst.
Encryption
Synq protects individual systems or information by means of cryptographic controls. All data in transit and at rest is encrypted by default.
Google Cloud
- All data stored in Google Cloud is encrypted at the storage level using AES256. Data for storage is split into chunks, and each chunk is encrypted with a unique data encryption key.
- Data in transit between end users’ browsers and Synq Google Cloud cluster is encrypted with SSL with automatic certificate rotation managed by Google Cloud.
ClickHouse
- ClickHouse encrypts information in transit by supporting TLS 1.2 and 1.3 when interacting with ClickHouse Cloud over the public internet.
- Data at rest is also encrypted using AES-256 encryption applied to AWS S3 buckets.
Incident Response
Synq provides implementing instructions for security incident response, to include definitions, procedures, responsibilities, and performance measures (metrics and reporting mechanisms).
Business Continuity and Disaster Recovery
Business processes supported by the system are identified, and the impact of a system disruption to those processes is determined along with outage impacts and estimated downtime.
Synq maintains a status page to provide real-time updates and inform customers of the status of each service. The status page is updated with details about an event that may cause service interruption / downtime. Synq’s status page: https://getsynq.statuspage.io
Data Retention Policy
Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 28 calendar days. After this period, the account and related data will be removed.
Report a vulnerability
If you believe you have found a security vulnerability on Synq, please let us know straight away. We will investigate all reports and do our best to fix valid issues quickly.
You can submit your report to our security team at security@synq.io. We will respond as soon as possible.