SyneHQ is designed with a privacy‑by‑default architecture: queries execute in your environment, and we maintain a zero‑data‑footprint model for SaaS. Enterprise self‑hosting offers full control over data location, keys, and runtime.
Data handling
| Topic | SaaS | Self‑Hosted (Enterprise) |
|---|---|---|
| Query execution | In your DBs; no data persisted by SyneHQ | In your environment |
| Result caching | Ephemeral, encrypted, configurable | Customer‑controlled |
| Logs & metrics | Metadata only; no sensitive payloads | Customer‑controlled |
Encryption
Native integration with Infisical for secrets lifecycle and encryption key management
In transit
In transit
- TLS 1.2+ for all client ↔ server and server ↔ data‑source traffic
- Strong cipher suites; HSTS on public endpoints
At rest
At rest
- SaaS: encrypted volumes and key management via CSP KMS
- Self‑hosted: use your KMS/HSM; enable disk/database encryption
Key management
Key management
- Rotated regularly; scoped, least‑privilege keys
- Option to integrate with customer KMS (enterprise)
Identity & access
| Control | Details |
|---|---|
| SSO | SAML / OIDC (OAuth2) integrations |
| RBAC | Least‑privilege roles at org, space, resource levels |
| SCIM (enterprise) | Automated provisioning and de‑provisioning |
| Session security | Short‑lived tokens, refresh rotation, device revocation |
Auditing
Audit logs
Audit logs
- Authentication and admin actions
- Connection and permission changes
- Query runs and dashboard shares (metadata only)
Export & retention
Export & retention
- Streaming to SIEM (enterprise): Splunk, Datadog, ELK
- Configurable retention policies (enterprise)
Compliance
| Standard | Coverage |
|---|---|
| SOC2 Type II | Controls, continuous monitoring, third‑party audits |
| GDPR | DPA, sub‑processor transparency, user rights workflows |
| HIPAA (enterprise) | BAAs, technical and administrative safeguards |
| PCI DSS (enterprise) | Segmented processing and hardened controls |
Network security
SaaS perimeter
SaaS perimeter
- WAF, DDoS protection, rate limiting
- Strict CORS and CSP
Private access to data sources
Private access to data sources
- Use Local Connections via the Rabbit tunnel for on‑prem/private DBs
- IP allow‑listing and VPC/VNet peering options (enterprise)
Secrets & configuration
- Encrypted secrets storage; no plaintext in logs
- Per‑connection least‑privilege DB users recommended
- Optional customer‑managed secrets providers (enterprise)
- First‑class support for Infisical for centralized secrets, environment configs, and automatic rotation
Infisical can be used in both SaaS and self‑hosted deployments to manage application secrets, database credentials, and encryption keys. Typical setup: sync SyneHQ environment variables and connection credentials from Infisical projects and use just‑in‑time decryption at runtime.
Secure deployments
Deployment
SaaS, enterprise self‑hosted, or hybrid
Local Connections
Query private data via secure tunnels
Need a tailored security review or questionnaires (CAIQ, SIG)? Contact our enterprise team.