Security · Updated 15 April 2026
Security at Syntharra
Syntharra handles accounts-receivable data and places phone calls on your customers’ behalf. That work carries real responsibility. This page describes the stage of our external audits, how data is encrypted, which subprocessors we use, what information leaves your accounting system (and what never does), and how to report a security issue.
We aim to be exact, not aspirational. If a claim on this page is not literally true today, it is not on this page.
SOC 2 audit stage
SOC 2 Type I is in preparation. Type II is planned for 2026 / 2027.
We have not yet completed a SOC 2 audit. We are working toward a Type I report (point-in-time attestation of control design) as our first milestone, followed by Type II (12-month operating-effectiveness audit). We will publish the auditor and report date here the moment a report is signed.
We are aware that many vendors claim “SOC 2” without a completed audit. We will not. Ask us for a letter from our audit firm whenever you want to verify stage.
Encryption
- At rest: All application data is stored in Supabase-managed Postgres with AES-256 encryption applied by the platform to the underlying volumes. OAuth tokens are additionally encrypted at the column level.
- In transit: TLS 1.2+ on every inbound and outbound connection. HSTS is set on all public-facing hostnames. Internal service-to-service traffic rides the same TLS stack.
- Secrets: API keys for Stripe, Retell, Telnyx, Anthropic, and Supabase are held in an encrypted vault and never committed to source control.
Subprocessors
The following service providers receive the minimum data needed to perform their function. This list matches our Privacy Policy and is updated whenever either document changes.
| Provider | Purpose |
|---|---|
| Stripe | Payment processing and connected-account management. |
| Retell AI | AI voice agent platform for outbound calls. |
| Telnyx | Telephony carrier for outbound calls and SMS. |
| Supabase | Managed Postgres database with Row Level Security. |
| Anthropic | LLM API for conversational flow during calls. |
We do not add a new subprocessor without updating this list. Clients on enterprise agreements receive 30 days’ written notice before a new subprocessor goes live.
What leaves your system, and what never does
What Syntharra reads from QuickBooks / your accounting system:
- Invoice number
- Invoice amount and currency
- Due date and days past due
- Debtor display name and contact phone / email
- Payment status transitions (for call suppression)
What Syntharra never reads, stores, or transmits:
- Bank account numbers, routing numbers, or ACH credentials
- Social Security Numbers or any other government identifier
- Card PANs, CVVs, or any raw payment card data (those flow through Stripe direct)
- Line-item product or service details beyond the total amount
- Any employee payroll or HR data in your accounting system
Access controls & tenant isolation
- Row Level Security (RLS) policies in Supabase enforce client-level isolation on every query.
- Only authorized staff with a business need may access production data; access is audited.
- All production changes ship through reviewed pull requests and CI checks.
- OAuth tokens for accounting integrations can be revoked by you at any time from your accounting provider’s settings.
Incident response & disclosure
If you believe you have found a security vulnerability in Syntharra, please email security@syntharra.com. We acknowledge reports within one business day and give you an honest timeline for remediation.
We do not currently run a paid bug-bounty program, but we will thank you publicly (if you want) and prioritize fixes proportionate to impact. Please give us a reasonable window before public disclosure.
Related
- Compliance — TCPA, FDCPA, state call windows.
- Privacy Policy — data retention, subject rights, DNC.
- Terms of Service — master agreement for using Syntharra.