Security & Trust
How Syncora protects partner data and player information across the platform.
Partner-isolated architecture
Each partner operates in an isolated tenant boundary enforced by row-level security. Data, integrations, and messaging config never cross tenants.
API-key secured server integrations
Server-to-server APIs require scoped API keys. Sensitive endpoints validate keys, IP allowlists, and HMAC signatures where applicable.
Short-lived widget tokens
Player-facing widgets authenticate via short-lived, server-minted tokens. Raw partner API keys never touch the browser.
Role-based backoffice access
Operator accounts are governed by roles and granular permissions, evaluated on every server call — not just in the UI.
Audit logs and event tracking
Backoffice actions and player lifecycle events are recorded, providing a reviewable trail for CRM, VIP, and bonus operations.
GDPR-conscious data handling
We minimise personal data, honor partner-controlled processing instructions, and support data subject request workflows.
Scope of these statements
This page describes controls that are enabled today in the Syncora Lab platform. It does not claim ISO 27001, SOC 2, MGA licensing, or completed independent penetration testing. For security questionnaires or a security review call, contact legal@syncoralab.com.