> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synehq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How SyneHQ protects your data in SaaS and enterprise self‑hosted

<Info>
  SyneHQ is designed with a privacy‑by‑default architecture: queries execute in your environment, and we maintain a zero‑data‑footprint model for SaaS. Enterprise self‑hosting offers full control over data location, keys, and runtime.
</Info>

## Data handling

| Topic           | SaaS                                     | Self‑Hosted (Enterprise) |
| --------------- | ---------------------------------------- | ------------------------ |
| Query execution | In your DBs; no data persisted by SyneHQ | In your environment      |
| Result caching  | Ephemeral, encrypted, configurable       | Customer‑controlled      |
| Logs & metrics  | Metadata only; no sensitive payloads     | Customer‑controlled      |

## Encryption

> Native integration with <a target="_blank" href="https://infisical.com">**Infisical**</a> for secrets lifecycle and encryption key management

<AccordionGroup>
  <Accordion title="In transit">
    * TLS 1.2+ for all client ↔ server and server ↔ data‑source traffic
    * Strong cipher suites; HSTS on public endpoints
  </Accordion>

  <Accordion title="At rest">
    * SaaS: encrypted volumes and key management via CSP KMS
    * Self‑hosted: use your KMS/HSM; enable disk/database encryption
  </Accordion>

  <Accordion title="Key management">
    * Rotated regularly; scoped, least‑privilege keys
    * Option to integrate with customer KMS (enterprise)
  </Accordion>
</AccordionGroup>

## Identity & access

| Control           | Details                                                 |
| ----------------- | ------------------------------------------------------- |
| SSO               | SAML / OIDC (OAuth2) integrations                       |
| RBAC              | Least‑privilege roles at org, space, resource levels    |
| SCIM (enterprise) | Automated provisioning and de‑provisioning              |
| Session security  | Short‑lived tokens, refresh rotation, device revocation |

## Auditing

<AccordionGroup>
  <Accordion title="Audit logs">
    * Authentication and admin actions
    * Connection and permission changes
    * Query runs and dashboard shares (metadata only)
  </Accordion>

  <Accordion title="Export & retention">
    * Streaming to SIEM (enterprise): Splunk, Datadog, ELK
    * Configurable retention policies (enterprise)
  </Accordion>
</AccordionGroup>

## Compliance

| Standard             | Coverage                                               |
| -------------------- | ------------------------------------------------------ |
| SOC2 Type II         | Controls, continuous monitoring, third‑party audits    |
| GDPR                 | DPA, sub‑processor transparency, user rights workflows |
| HIPAA (enterprise)   | BAAs, technical and administrative safeguards          |
| PCI DSS (enterprise) | Segmented processing and hardened controls             |

## Network security

<AccordionGroup>
  <Accordion title="SaaS perimeter">
    * WAF, DDoS protection, rate limiting
    * Strict CORS and CSP
  </Accordion>

  <Accordion title="Private access to data sources">
    * Use **Local Connections** via the Rabbit tunnel for on‑prem/private DBs
    * IP allow‑listing and VPC/VNet peering options (enterprise)
  </Accordion>
</AccordionGroup>

## Secrets & configuration

* Encrypted secrets storage; no plaintext in logs
* Per‑connection least‑privilege DB users recommended
* Optional customer‑managed secrets providers (enterprise)
* First‑class support for **Infisical** for centralized secrets, environment configs, and automatic rotation

<Info>
  Infisical can be used in both SaaS and self‑hosted deployments to manage application secrets, database credentials, and encryption keys. Typical setup: sync SyneHQ environment variables and connection credentials from Infisical projects and use just‑in‑time decryption at runtime.
</Info>

## Secure deployments

<CardGroup cols={2}>
  <Card title="Deployment" icon="cloud" href="/get-started/deployment">
    SaaS, enterprise self‑hosted, or hybrid
  </Card>

  <Card title="Local Connections" icon="bridge" href="/features/local-connections">
    Query private data via secure tunnels
  </Card>
</CardGroup>

<CardGroup cols={2}>
  <Card title="Infisical" icon="lock" href="https://infisical.com/">
    KMS & secrets management used with SyneHQ
  </Card>
</CardGroup>

<Note>
  Need a tailored security review or questionnaires (CAIQ, SIG)? Contact our enterprise team.
</Note>
