Compliance
Synapse Layer is designed for alignment with LGPD and GDPR privacy principles. This page documents the specific mechanisms that support compliance posture.
On this page
Compliance Posture
Warning
The architecture includes several mechanisms that support compliance with privacy regulations, but formal certification requires third-party audit and assessment specific to each deployment context.
Consent Management
Synapse Layer includes a built-in LGPD Consent Engine with the following capabilities:
| Endpoint | Purpose |
|---|---|
| POST /api/v1/consent | Record consent for data processing |
| GET /api/v1/consent | Retrieve current consent status |
| DELETE /api/v1/consent/[agentId] | Revoke consent for a specific agent |
Consent records are stored in the ConsentRecordmodel with timestamps and scope information.
Data Minimization
Several mechanisms support the data minimization principle:
- PII sanitization — Automatically removes personal data before storage
- Forensic hashing — SHA-256 hashes replace raw PII (audit without retention)
- Aggressive mode — Optional stricter sanitization that strips proper nouns
- Differential privacy — Noise injection prevents content reconstruction from embeddings
Right to Delete
Users can delete their memories through:
- The
delete_memoryMCP tool - The REST API delete endpoint
- The Forge Dashboard UI
Deletion removes the memory record, encrypted content, and embedding from the database. Audit trail records (ForgeEvent) are retained for operational integrity but contain no PII (sanitized before logging).
Data Isolation
Tenant isolation ensures that each user’s data is completely separated:
- 1 user = 1 tenant = 1 isolated memory space
- Tenant ID is auth-derived (cannot be spoofed via request parameters)
- No cross-tenant query paths exist at the database level
- Admin interfaces are restricted to platform operators, not user data
BAA Availability
Business Associate Agreements (BAA) are available on request for Enterprise plan customers, subject to contract review. Contact the team for details.
Limitations
Important Disclaimers
- Synapse Layer is not LGPD certified
- Synapse Layer is not GDPR certified
- No third-party compliance audit has been published
- Compliance is a shared responsibility between the platform and the data controller
- The mechanisms described here support but do not guarantee regulatory compliance