Data Security

Access to the SynovAI platform requires authentication. Users are assigned to permission groups that control which models and features they can access. Enterprise customers can use Microsoft Entra ID (Azure AD) single sign-on to manage access through their existing identity infrastructure. Access can be revoked immediately by an administrator.

Your submissions, results, and molecular data are associated with your account and are not visible to other users. Uploaded chemical catalogs are stored per-user and not shared across accounts. Task results, favorite routes, reagent flags, and feedback are all scoped to the authenticated user. Team-scoped catalogs and shared task views require explicit membership and are not accessible to non-members.

All traffic to and from the platform is encrypted in transit using TLS 1.2 or higher, terminated at the edge. Data at rest — including the application database, backups, and object storage — is encrypted using AES-256. API keys and session tokens are stored as one-way hashes; we cannot read them back even from our own database.

Molecular structures submitted to the platform are used solely for generating retrosynthesis routes and related analysis for your session. We do not use customer task data to train or fine-tune our models without your explicit written consent. Your molecular IP remains yours; see our Terms of Use for the IP-ownership posture.

The platform runs on dedicated infrastructure. Database access is restricted to application services and is not exposed to the public internet. Deployments use a blue-green strategy to minimize downtime and enable instant rollback. Production and staging are isolated. The application has a deep healthcheck endpoint that probes the database, queue, and model servers, and circuit breakers in front of external dependencies (PubChem, payment processor, model servers) gracefully degrade when an upstream is slow or unreachable.

The application database is backed up at least daily; backups are retained for 30 days and are encrypted at rest. Backups are stored in a separate failure domain from the live database. We can restore to any point in the retention window within hours. When a customer requests account deletion, we delete production data immediately and purge the corresponding backup data within the standard retention window unless a longer retention is required by law (e.g., tax records).

Authentication is handled through industry-standard protocols. Session tokens are signed and stored in HttpOnly, Secure cookies; they are never written to browser local storage. Enterprise SSO integrations use OAuth 2.0 / OpenID Connect through Microsoft Entra ID. API keys are scoped to the issuing user, can be rotated or revoked at any time, and are rate-limited per key.

We use a small number of vetted third-party services to operate the platform. They process only the data necessary for their function:

• Stripe — payment processing for paid tiers. Receives billing contact, line items, and payment-method tokens. Never receives molecular data.
• PubChem (NIH) — public chemical catalog lookups for vendor and pricing data. Receives anonymized structure queries; no account identifiers.
• Model serving — retrosynthesis predictions run on dedicated compute. Receives the target structure and pipeline parameters for the duration of inference; no account identifiers are persisted on the model server.
• Email delivery — transactional email (account verification, team invites, billing receipts). Receives only the recipient address and message body. Marketing email is opt-in.

We add or change sub-processors only when necessary to operate the platform and we list material changes here. Enterprise customers can request advance notice of changes as part of a customer-specific data-processing arrangement.

We monitor platform health continuously and maintain a documented incident-response playbook covering the most likely failure classes. In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and in any case within 72 hours of confirmation, with the information available at the time and follow-up communications as the investigation continues. Status updates for ongoing incidents are posted at /status.

We are happy to participate in customer-led security reviews. Enterprise customers can request a CDA, a vendor-security questionnaire response, and a discussion with our engineering team prior to onboarding. We do not currently hold a SOC 2 or ISO 27001 attestation; both are on the roadmap and will be communicated when available. We will not misrepresent our compliance posture.

If you have specific data security requirements, want to start a security review, or need to report a suspected vulnerability, contact us at jessica.freeze@synovai.net.