Syncro is committed to maintaining the security of its products and aware of the risk associated with remote management. See our Security and Reliability Safeguards page for an overview. To better address your concerns, see our answers to FAQs below.
What security precautions are in place internally?
We have many.
- We require MFA on all user accounts.
- We do regular penetration tests.
- We perform internal risk assessments.
- We have an active bug bounty program.
- We do threat modeling on new features, and even have new features independently pen tested.
- We strive for the principle of least privilege, such as our employees cannot trigger actions on endpoints.
- If a new device logs in to a user account you get an email about it.
- For every major incident that hits the news, we strategize about enhancements we can make based on what we learned from it.
- We ensure that we are HIPAA and GDPR compliant.
- We have a dedicated and credentialed security team that directly oversees security in our software. This in-house team works on maintaining our security stance and roadmap, and performs monitoring, testing, and development.
How is data encrypted that is stored in your servers?
It is logically segmented and secure fields are encrypted with industry standard technology to ensure that sensitive information is protected from unauthorized use or access.
How is data in transit encrypted?
We use and enforce TLS encryption for all traffic between our services or our users and our systems.
How secure are your platform providers?
Our platform providers (AWS, etc.) have their own independent security programs and perform their own routine scans and updates, ensuring that our services are always hosted in the most up-to-date infrastructure available.
How is my MSP tenant data secured from other MSP tenants?
Tenants are isolated from one another by architectural design and are only capable of accessing any data which they own or are authorized to view.
Is there a web application firewall protecting the Syncro Admin and Customer portals?
We use an application firewall solution as well as leveraging services which provide a robust firewall interface.
How are Splashtop remote sessions secured?
Please see Splashtop's security documentation.
Is Syncro able to provide any type of audit or penetration test reports confirming the security of the infrastructure?
We share your concerns about the importance of security in our services. Some of our testing and auditing include:
- We perform an annual system pentest by an independent third party
- We have significant new features or service offerings tested and security issues addressed prior to release.
- We obtain an annual audit of internal systems and procedures to ensure HIPAA and GDPR compliance.
- We have been certified through The Compliancy Group as HIPAA compliant.
It is our policy not to offer these results publicly in the interest of the security and confidentiality of our systems and to better ensure system integrity as we address issues. You can, however, be assured that each security issue is treated as a priority by our security team.
What is your disaster recovery plan?
We have a plan for restoring backups and services in the event of a disaster as well as the failover / availability SLA’s of our providers to rely on.
Do you have security breach protocol documentation?
We follow responsible disclosure guidelines and directives as outlined by US law. We also have an incident response notification process and procedure for responding to and addressing erroneous or anomalous system behavior.
How does Syncro know that every update that is available to its users and users’ customers is clean from cyber threats?
Syncro places security at the forefront of our priorities, beginning with our development process. All code contributions and deployments are reviewed for completeness, accuracy, and compliance with standards including security requirements. Our release process is verbose, with priority monitoring for resulting effects following any deployment. Additionally, any new feature receives a security audit for potential security vulnerabilities. We are working to add additional internal features, policies, and practices in place which will continue to bolster the Syncro security stance on an ongoing basis.
Is there any form of a kill switch to end all connections to assets if access is compromised?
If you were to remove the Asset from Syncro, this would sever the connection to the Agent. Additionally, shutting off the computer or disconnecting it from the internet does the same. The Agent is required to be installed and connected to the internet, and exist in Syncro for communication to be viable. You can lock out a bad actor by simply changing their credentials. Should someone start misusing our platform beyond logging in through the “front door,” we would shut down the action queue on our end—basically use our kill switch.
Why do you use Chocolatey when it is a public repository?
We understand your concerns which typically do affect public code repositories. These tools are still owned and maintained by the organizations providing them, so they are not open source in the sense that anyone could submit a hidden change. In addition, the community Chocolatey repo has its own thorough review process before new updates can be added.
The enterprise version of this service is intended for organizations who publish their own software and need a private way to serve those applications without being publicly available, or to provide a fixed version or set of applications to their organization. Our software only provides a mechanism for remotely managing applications available from this repository, which ensures clients have the most up-to-date tools, including security updates, for their organization.
Should you require additional security it is possible to disable the policies related to Chocolatey and manage it manually. Please see Chocolatey’s documentation for additional information on hosting your own internal repository. This page of theirs might be a relevant starting point:
Rigorous Moderation Process for Community Packages
Have additional questions? Please contact firstname.lastname@example.org.