Home Security

Trust Centre

Security built for financial infrastructure

Synthetic Reality is built from the ground up to operate within the security perimeter of systemically important financial institutions. Our controls, certifications, and architecture reflect that responsibility.

Certifications & compliance

Independently verified controls

SOC 2 Type II

Current

Annual audit covering Security, Availability, Processing Integrity, and Confidentiality trust service criteria. Reports available to prospective clients under NDA.

Auditor: independent Big Four firm · Annual cycle

ISO 27001:2022

Current

Information security management system certification covering our corporate environment, platform infrastructure, and software development lifecycle.

Certification body: accredited registrar · 3-year cycle with surveillance audits

CSA STAR Level 1

Current

Cloud Security Alliance Security, Trust, Assurance and Risk registry entry with self-assessment questionnaire publicly available on the CSA STAR registry.

Registry: CSA STAR · Annual renewal

PIPEDA & Law 25

Current

Full compliance with the Personal Information Protection and Electronic Documents Act and Québec's Law 25, including mandatory breach notification and data residency controls.

Jurisdiction: Canada · Privacy Officer designated

Security programme

Controls across every layer

Access Control

Every human and machine identity is granted the minimum access required, enforced at the data, model, and API layers independently.

  • Role-based access control with attribute-based policy extensions for complex org structures
  • SSO via SAML 2.0 and OIDC, with MFA enforced for all console access
  • Privileged access management for infrastructure — just-in-time elevation with automated expiry
  • Service-to-service authentication via short-lived mTLS certificates, not long-lived static credentials

Data Encryption

All data is encrypted at rest and in transit, with key management entirely separate from data storage and rotated on a defined schedule.

  • AES-256 encryption at rest for all persistent storage, including database volumes, object storage, and backups
  • TLS 1.3 enforced for all data in transit, including internal service-to-service communication
  • Customer-managed encryption keys (CMEK) available for clients requiring key sovereignty
  • Hardware security modules (HSMs) for root key material in all production regions

Monitoring & Detection

Continuous threat detection across our infrastructure, with automated response playbooks and a defined escalation path to our security team around the clock.

  • SIEM ingesting logs from all infrastructure layers with automated anomaly detection and correlation rules
  • Runtime threat detection on container workloads with automatic isolation of compromised nodes
  • 24/7 alert monitoring with defined SLAs for initial triage by severity tier
  • Tamper-evident audit logs for all infrastructure changes, with separate write-once storage

Vulnerability Management

Continuous scanning, scheduled penetration testing, and a formal patch management programme ensure our attack surface stays minimised and current.

  • Automated dependency scanning and container image scanning on every build, blocking critical CVEs from reaching production
  • Annual full-scope penetration test by an independent third-party firm, with summary report available to clients under NDA
  • Defined SLAs for patch deployment: critical CVEs within 24 hours, high within 7 days, medium within 30 days
  • Infrastructure immutability — no direct access to production hosts; all changes deployed via automated pipelines

Tenant Isolation

Each client institution operates in a hard-isolated tenant. Isolation is enforced at every layer — not as a configuration option, but as an architectural invariant.

  • Dedicated Kubernetes namespaces with network policies preventing any cross-tenant communication at the network layer
  • Separate database schemas with per-tenant encryption keys — a key compromise in one tenant cannot affect another
  • API gateway enforces tenant context on every request, with cryptographic binding between tokens and tenant identifiers
  • Tenant isolation verified in every penetration test engagement as a primary test objective

Incident Response

A documented incident response plan with defined roles, communication templates, and regulatory notification procedures — tested via tabletop exercises annually.

  • Incident severity tiers with defined response SLAs: P1 initial response within 15 minutes, client notification within 1 hour
  • Dedicated incident commander role with pre-approved communication authority to expedite client and regulator notifications
  • Post-incident review and root cause analysis delivered to affected clients within 5 business days of resolution
  • Mandatory breach notification to regulators within statutory timeframes, with legal counsel engaged at P1 declaration

Infrastructure security

Security specifications

A complete picture of the technical controls governing our platform infrastructure — available in expanded form to client security teams conducting due diligence.

99.99%
Uptime SLA
24hr
Critical CVE patch SLA
7yr
Audit log retention
Encryption at rest
AES-256-GCMAll database volumes, object storage, backups, and model artefacts. Keys managed via cloud KMS with HSM-backed root material.
Encryption in transit
TLS 1.3 minimumEnforced for all external and internal traffic. TLS 1.0 and 1.1 explicitly disabled. Certificate rotation automated via cert-manager.
Network architecture
Private VPC per tenantNo public endpoints on data-plane services. All client connectivity via VPC peering, AWS PrivateLink, or Azure Private Endpoint.
Secret management
HashiCorp VaultDynamic secrets with automatic rotation. No long-lived static credentials in application code or environment variables.
Backup & recovery
RPO 1hr / RTO 4hrAutomated daily snapshots with continuous WAL archiving. Cross-region backup replication. Recovery tested quarterly.
Pen test frequency
Annual + on major releaseFull-scope external penetration test annually. Targeted tests on new major capabilities before production release.

Responsible disclosure

Report a vulnerability

We take security reports seriously and commit to responding quickly, working collaboratively with researchers, and recognising contributions that improve the security of our platform.

We do not pursue legal action against researchers who discover and report vulnerabilities in good faith in accordance with this policy. We ask that you do not access or modify client data, disrupt platform availability, or disclose findings publicly before we have had a reasonable opportunity to remediate.

Submit a security report

Use PGP encryption for sensitive reports. Our public key is available on request.

security@syntheticreality.ca
1

Submit your report

Email security@syntheticreality.ca with a clear description of the vulnerability, steps to reproduce, and your assessment of potential impact. PGP encryption available on request.

2

Acknowledgement within 24 hours

We will acknowledge receipt of your report within 24 hours and provide a tracking reference number for follow-up.

3

Triage and severity assessment

Our security team assesses severity using CVSS 4.0 and communicates our assessment and expected remediation timeline within 5 business days.

4

Remediation and recognition

We remediate within our published SLAs and, with your consent, acknowledge your contribution in our security hall of fame following public disclosure.

Security due diligence

Need our full security
documentation package?

SOC 2 report, penetration test summary, data processing agreement, and architecture security overview — available to prospective clients under NDA.

Request documents Contact security team