Security Overview

Synapse Layer is built with a privacy-first, secure-by-design philosophy. Security is not an add-on — it is embedded in every layer of the architecture.

Security Model

The Synapse Layer security model addresses four threat categories:

Data at Rest

AES-256-GCM encryption with per-operation random IV and GCM auth tag validation.

Data in Content

Semantic Privacy Guard™ removes PII before storage using 12+ pattern categories.

Data in Vectors

ε-differential privacy via calibrated Gaussian noise prevents embedding inversion.

Access Control

Multi-tenant isolation with auth-derived tenant IDs. No cross-tenant access paths exist.

Security Layers

Three independent, non-bypassable security layers protect every memory operation:

LayerProtectionConfigurable?
Semantic Privacy Guard™PII redaction in contentYes (on by default)
Differential PrivacyNoise injection in embeddingsYes (on by default)
Intelligent Intent Validation™Content classification + safety promotionNo (always active)

Authentication & Authorization

  • Connect Tokens — SHA-256 hashed before storage; one-time visible on creation
  • OAuth 2.0 + PKCE — S256 code challenge method; authorization code flow
  • Session management — NextAuth with JWT strategy
  • MCP authentication — via x-connect-token header or Authorization bearer

Note

Unauthenticated requests always return an authentication error, never empty data. This is the fail-closed principle in action.

Data Isolation

  • Tenant ID is derived from the authenticated session, not from request parameters
  • tenantId is a NOT NULL column on every memory record
  • All queries include tenant filtering at the database level
  • No admin or API override exists for cross-tenant access

Audit & Observability

Every security-relevant operation is auditable:

  • Store results include sanitization stats, privacy parameters, and validation details
  • ForgeEvent table provides immutable operation logging
  • CognitiveAudit records security pipeline decisions
  • Health check endpoints expose latency and capability status

Security Posture

Active Protections

  • AES-256-GCM encryption at rest with per-operation random IV
  • PII sanitization with forensic hashing
  • Differential privacy on embeddings
  • Fail-closed authentication
  • Tenant isolation at database level

Honest Limitations

  • Encryption is server-side (not client-side/end-to-end)
  • PII detection is regex-based (not NLP/ML-based)
  • No formal LGPD/GDPR certification (designed for alignment)
  • No third-party security audit published