Compliance

Synapse Layer is designed for alignment with LGPD and GDPR privacy principles. This page documents the specific mechanisms that support compliance posture.

Compliance Posture

Warning

Synapse Layer is designed for LGPD/GDPR alignment. It is not formally certified as LGPD or GDPR compliant. Compliance ultimately depends on how the system is configured and integrated by the data controller.

The architecture includes several mechanisms that support compliance with privacy regulations, but formal certification requires third-party audit and assessment specific to each deployment context.

Data Minimization

Several mechanisms support the data minimization principle:

  • PII sanitization — Automatically removes personal data before storage
  • Forensic hashing — SHA-256 hashes replace raw PII (audit without retention)
  • Aggressive mode — Optional stricter sanitization that strips proper nouns
  • Differential privacy — Noise injection prevents content reconstruction from embeddings

Right to Delete

Users can delete their memories through:

  • The delete_memory MCP tool
  • The REST API delete endpoint
  • The Forge Dashboard UI

Deletion removes the memory record, encrypted content, and embedding from the database. Audit trail records (ForgeEvent) are retained for operational integrity but contain no PII (sanitized before logging).

Data Isolation

Tenant isolation ensures that each user’s data is completely separated:

  • 1 user = 1 tenant = 1 isolated memory space
  • Tenant ID is auth-derived (cannot be spoofed via request parameters)
  • No cross-tenant query paths exist at the database level
  • Admin interfaces are restricted to platform operators, not user data

BAA Availability

Business Associate Agreements (BAA) are available on request for Enterprise plan customers, subject to contract review. Contact the team for details.

Limitations

Important Disclaimers

  • Synapse Layer is not LGPD certified
  • Synapse Layer is not GDPR certified
  • No third-party compliance audit has been published
  • Compliance is a shared responsibility between the platform and the data controller
  • The mechanisms described here support but do not guarantee regulatory compliance