Sylure

Documentation

Getting Started

What is Sylure?

Sylure is an uploads-first privacy operations platform that helps organisations discover shadow personal data hiding in file exports, spreadsheets, PDFs, and email archives. Upload a ZIP bundle and within minutes you receive a full personal data inventory complete with risk scoring, exposure mapping, and DSAR discovery capabilities.

Built for DPOs, privacy teams, CISOs, compliance consultants, and MSPs working under UK GDPR and EU GDPR, Sylure is SaaS-delivered with no self-hosting or infrastructure to manage.

Upload & Scan

Package your exports into a ZIP and let the detection engine find personal data across 11 types.

Discovery (DSAR)

Locate a data subject’s personal data across all uploads and export evidence bundles.

Security & Trust

HMAC hashing, ClamAV scanning, org-level isolation, and full audit trail.

Analytics & Reports

Risk dashboards, AI executive summaries, and stakeholder-ready exports.

How Sylure Works

The platform follows a ten-step pipeline from file preparation through to deletion.

  1. Prepare — Package your files (exports from CRM, payroll, support tickets, etc.) into a .zip bundle.
  2. Upload — Drag-and-drop or click to upload via the Sources page. Uploads are integrity-verified (SHA-256 hash computed client-side) and transferred using resumable multipart upload (32 MB chunks).
  3. Validate — Sylure validates the ZIP structure: magic bytes (PK signature), 3 GB compressed limit, 20 GB uncompressed limit, ZIP bomb guards, 100,000 file cap.
  4. Security Scan — Every bundle passes through ClamAV antivirus scanning before any content is processed.
  5. Scan — The detection engine extracts text from supported formats, then runs regex-based and contextual detection for 11 personal data types across 5 GDPR categories. Identity values are hashed with HMAC-SHA256 — raw values are never stored.
  6. Analyse — Risk scores are computed per-asset using sensitivity weights, combination bonuses, diversity bonuses, and volume scaling. Pre-computed analytics summaries are materialised for fast dashboard rendering.
  7. Review — Use the Dashboard, Analytics, and Exposures pages to understand your risk profile.
  8. Discover — Use the Discovery Tool (DSAR Search) to locate a data subject's personal data across all scanned uploads, export evidence bundles, and optionally generate AI-drafted responses.
  9. Report — Generate stakeholder-ready reports with optional AI executive summaries.
  10. Delete — Control retention with soft-delete (grace period) or hard purge (immediate), plus S3 lifecycle backstop.

Quick Start Checklist

Complete these steps to get your first personal data inventory in minutes.
  1. Log in at app.sylure.com (you'll receive credentials from your Admin).
  2. If first login, you’ll be prompted to change your password.
  3. Sources (sidebar) — upload your first ZIP bundle.
  4. Wait for the scan pipeline to complete (you can close the browser — it runs asynchronously).
  5. Dashboard — check the risk overview.
  6. Exposures — drill into individual findings.
  7. Discovery Tool — search for a specific data subject.
  8. Analytics — view detailed reports.

Term Glossary

Key terms used throughout Sylure. Understanding these concepts will help you navigate the platform and interpret results effectively.

TermDefinition
Upload / BundleA ZIP archive containing files to be scanned. Each upload is tracked through a full lifecycle: PENDING → RECEIVED → VALIDATING → SECURITY_SCANNING → SCANNING → COMPLETED.
AssetAn individual file within an upload (e.g. a CSV, PDF, or XLSX). Each asset gets its own finding and identity hits.
SourceThe origin system or connector the asset came from. In the current version, all sources are of kind upload.
FindingA detected personal data exposure within an asset. Contains risk level, masked evidence, and the types of personal data found. Findings can be active, superseded, or resolved_removed.
Identity HitA normalised, hashed identifier (email, phone, name, etc.) linked to a specific asset. Used for DSAR Discovery lookups. Raw values are never stored — only HMAC-SHA256 hashes.
Identity OverrideAn admin-applied status on an identity hit — either ACTIVE (default) or IGNORED (suppressed as false positive).
Personal Data CategorySylure groups detected data into five GDPR-aligned categories: Contact details, Identity, Address & location, Financial identifiers, and Government identifiers.
Risk BandA calculated risk level for a finding or asset: high, medium, or low. Driven by sensitivity, combination bonuses, and volume context.
Risk ScoreA numeric score from 0–100 computed from sensitivity weights, combination bonuses, diversity bonuses, and volume scaling.
ExposureHow the data was shared or accessible. Values include: public_link, org_wide, channel_public, channel_private, bucket_public_acl, team_only, unknown.
Discovery Tool (DSAR Search)The search interface for locating a data subject’s personal data across all scanned uploads. Supports searching by email, phone, name, postcode, address, DOB, IBAN, NINO, bank details, and card number.
DSAR BundleAn exported package of discovery results (Excel or JSON) containing all matched identity hits, evidence snippets, and asset locations for a data subject.
AI DraftAn AI-generated response draft for DSAR fulfilment, based on the discovery results. Generated by Claude (Anthropic) with aggregate-only data — no raw personal data is sent to the AI.
AI Executive SummaryAn AI-generated narrative summary of your risk profile for stakeholder reports. Uses aggregate metrics only.
Soft DeleteScheduling an upload for deletion after a configurable grace period (default 7 days). The upload is excluded from views but data remains recoverable during the grace period.
Hard PurgeImmediate, irreversible deletion of an upload and all its derived outputs (findings, identity hits, analytics, cached AI explainers).
Derived OutputsAll data Sylure creates from scanning: findings, identity hits, analytics summaries, cached AI explanations. Original files are never modified.
Audit LogA tamper-evident record of all significant actions: authentication events, exports, raw bundle access, member/role changes, upload lifecycle events. Exportable as Excel.
Organisation / WorkspaceThe top-level tenant. All data is scoped to an organisation. Each organisation has its own users, uploads, quotas, and billing cycle.
Billing CycleAnniversary-based monthly cycle anchored to your organisation’s creation date. Quotas (upload GB, DSAR exports, AI features) reset at the start of each cycle.
Evidence MaskingAll evidence snippets shown in the UI and exports are masked by default (e.g. j***@example.com, 07*** ***456). Raw values are never displayed.
Scan JobThe background job that processes an upload through the scan pipeline. Tracks status, progress, heartbeat, and timing metrics.
Upload Analytics SummaryA pre-computed summary per upload containing total hits, risk scores, personal data composition, file type breakdown, top assets, and daily hit counts. Avoids expensive real-time aggregation.

Supported Personal Data Types

Detection Categories

Sylure detects 11 personal data types, grouped into 5 GDPR-aligned categories. Each type has its own regex patterns, contextual heuristics, and normalisation rules.

Contact details

  • Email address — Full email addresses. Role mailboxes (noreply@, admin@, support@, etc.) and known ESP/transactional domains are filtered out. Bad TLDs (localhost, internal, test) are excluded.
  • Telephone number — UK and EU phone numbers. Validated using libphonenumber-js. Supports formats with/without country code, with spaces, dashes, parentheses. Default region: GB, with fallback to 16 EU regions.

Identity

  • Full name — Detected using contextual header matching (columns labelled "name", "full name", "employee name", "customer name", etc.) and pattern-based extraction.
  • Date of birth — Detected via header context (DOB, date of birth, birth date, born, etc.) and date pattern matching.

Address & location

  • Postcode — UK postcodes validated against a comprehensive outward district lookup table. Requires header context or structural proximity to reduce false positives.
  • Postal address — UK addresses detected using a term dictionary (road, street, avenue, close, etc.) combined with structural patterns.

Financial identifiers

  • IBAN — International Bank Account Numbers. Validated with checksum verification.
  • Bank account details — UK sort code + account number pairs. Detected as pairs with header context.
  • Payment card number — Credit/debit card numbers. Validated with Luhn algorithm.
  • Card expiry — Card expiry dates detected alongside card numbers.

Government identifiers

  • National Insurance number — UK NINOs matching the standard format (two letters, six digits, one letter). Header context required.

How Detection Works

The detection engine processes each file through a multi-stage pipeline that combines pattern matching with contextual analysis.

  • Text is extracted from each file using format-specific extractors.
  • Multiple regex patterns and contextual heuristics are applied simultaneously.
  • Header/column labels provide context to reduce false positives (e.g. a column labelled "DOB" boosts date-of-birth detection confidence).
  • Detected values are normalised (lowercased emails, E.164 phone numbers, uppercase postcodes, etc.).
  • Values are hashed using HMAC-SHA256 with a per-installation secret key — raw values are never persisted.
  • Evidence snippets are generated with automatic masking.

Risk Sensitivity Weights

Each personal data type carries a sensitivity weight that reflects its GDPR significance. Higher weights drive higher risk scores.

Risk tierTypesWeight
High riskIBAN (3.2), NINO (3.5), Bank account details (4.2), Payment card (4.2)≥ 3.0
Medium riskEmail (1.7), Phone (1.7), Postcode (1.7), Address (2.0), Date of birth (2.5)1.7–2.5
Low riskFull name (1.0)1.0

Risk Scoring Formula

Risk scores are computed using a deterministic formula that accounts for sensitivity, data combinations, and volume.

  1. Base sensitivity — The highest sensitivity weight among all personal data types present.
  2. Combination bonuses — Financial + Identity = +1.5; Financial + Contact = +1.0; Identity + Contact = +0.5.
  3. Diversity bonus — 3+ distinct types = +0.5; 5+ distinct types = +0.5.
  4. Volume context — Scales from 0.9× (under 10 items) to 3.0× (1M+ items).
  5. Final score(base + combos + diversity) × volume_context, clamped to max 7.0.
  6. Banding — Score ≥ 7 = high; Score ≥ 3 = medium; else low. Exception: if financial or government data is present, minimum band is medium.
  7. Normalised score — Mapped to 0–100 scale (max combined = 7 × 3.0 = 21).
Worked example: An asset containing emails (1.7), phone numbers (1.7), and IBANs (3.2) would score: base 3.2 + Financial+Contact combo 1.0 + diversity 0.5 = 4.7. With 500 rows the volume multiplier is ~1.5×, giving 7.0 (clamped) → high risk band → normalised score of 100.

Supported File Formats

Sylure supports the following file formats for text extraction and personal data detection.

ExtensionTypeNotes
.csvDelimited textComma, tab, pipe separated
.txtPlain textGeneral text files, logs
.jsonJSONStructured data exports
.logLog filesServer/application logs
.htmlHTMLWeb page exports
.xmlXMLStructured markup
.emlEmailIndividual email messages
.pdfPDF documentsText extraction (not OCR for scanned images)
.docxWord documentsMicrosoft Word (Office Open XML)
.xlsxExcel spreadsheetsMicrosoft Excel (Office Open XML)

Upload Constraints

  • Maximum ZIP size: 3 GB (compressed).
  • Maximum uncompressed size: 20 GB (guards against ZIP bombs).
  • Maximum files processed per ZIP: 100,000.
  • ZIP must have valid PK magic bytes (PK\\x03\\x04 or PK\\x05\\x06).
  • Files not matching supported extensions are skipped silently.
  • Password-protected or corrupt files are skipped with warnings (scan completes as COMPLETED_WITH_WARNINGS).

Upload & Scan Pipeline

Every bundle uploaded to Sylure passes through a multi-stage pipeline that validates, scans for malware, detects personal data, and materialises analytics summaries. The pipeline runs asynchronously — you can close the browser after upload.

Preparing Your Bundle

Collect exports from your systems and package them into a single ZIP file. The internal folder structure is preserved and used as the asset path in Sylure.

  • Collect exports from your systems (CRM, payroll, support, finance, etc.).
  • Package them into a single .zip file.
  • Realistic examples: salesforce_contacts_export_2025-10-04.csv, payroll_extract_Q3_2025.xlsx, zendesk_tickets_2025-09.json, supplier_invoices_Oct_2025.pdf.
  • The internal folder structure is preserved and used as the asset path.

Upload Process

Admin only — only Admin users can upload bundles. Analyst and Viewer roles cannot.
  1. Drag-and-drop or click-to-select on the Sources page.
  2. Client computes SHA-256 hash of the file before upload (integrity verification).
  3. Resumable multipart transfer (32 MB chunks) — if connection drops, it can resume.
  4. Pipeline steps shown in UI: HashingRegisteringTransferringQueuing.
  5. After upload, the scan is queued automatically — you can close the browser.

Scan Pipeline Stages

StatusDescription
PENDINGUpload record created, waiting for file data.
RECEIVEDZIP stored in S3 (eu-west-2 region).
VALIDATINGZIP structure checks: magic bytes, size limits, ZIP bomb guards.
SECURITY_SCANNINGClamAV antivirus scan on the raw bundle.
SCANNINGCore detection: extract text, run detection, compute hashes, create findings and identity hits, materialise analytics.
COMPLETEDScan finished successfully, all data available.
COMPLETED_WITH_WARNINGSScan finished but some files were skipped (corrupt, password-protected, unsupported).

Failure states:

StatusDescription
FAILED_VALIDATIONZIP failed structure/size checks.
FAILED_SECURITYAntivirus detected a threat.
FAILED_SCANNINGDetection engine error.
FAILED_ANALYTICSScan completed but analytics summary computation failed.
EXPIREDUpload was prepared but not completed within 24 hours.

Scan Concurrency & Performance

  • ZIP entries are processed with configurable concurrency (default 8 parallel).
  • Database writes are batched with configurable concurrency (default 8).
  • Progress is flushed every 5 seconds with heartbeat every 15 seconds.
  • Scan job tracks stage (DOWNLOADING / VALIDATING / SCANNING / MATERIALIZING), bytes downloaded, metrics counters, and timing breakdowns.

Retry Failed Scans

Admin users can retry failed scans from the upload detail page. The system creates a new scan job for the existing upload, and only one scan job per upload runs at a time.

Monthly Upload Quota

Each organisation has a monthly upload quota measured in GB. Quota is tracked using a reservation system: bytes are reserved when upload starts, settled on completion, and released on failure. Quota resets on the billing cycle anniversary.

  • Quota usage is displayed on the Sources page with a progress bar.
  • Tiers: Starter/Partner = 10 GB/month; Professional = 50 GB/month; Enterprise = unlimited.

Dashboard & Overview

Dashboard Page /overview

The Dashboard provides a high-level risk overview for the organisation. It surfaces the most critical findings and gives you an at-a-glance understanding of your personal data exposure.

  • Attention Queue: Top 5 high-risk findings with asset details, file path, and personal data types.
  • Filters: Time range (7 days, 30 days, all time) and upload scope (specific upload or all).
  • Risk tiles: Total findings, high/medium/low breakdown, risk mix percentages.
  • AI Explainer: Optional AI-generated insight explaining the dashboard metrics.
Accessible to all roles (Admin, Analyst, Viewer).

Analytics Component

The dashboard fetches analytics data via API endpoints, all scoped to the user's organisation (multi-tenant isolation):

  • /api/analytics/risk-summary
  • /api/analytics/pii-composition
  • /api/analytics/top-assets
  • /api/analytics/pii-by-asset
  • /api/analytics/pii-high-risk-by-type
  • /api/analytics/monthly-delta
  • /api/analytics/uploads-summary

Analytics & Reports

Analytics Page /analytics

The Analytics page provides detailed reporting with charts and data tables. Use it to build a comprehensive picture of your organisation's personal data landscape.

  • Filters: Time range (7d, 30d, all) and upload scope.
  • Risk summary tiles (overall risk score 0–100, risk label, total exposed personal data, high-sensitivity exposures, assets with personal data).
  • Personal data composition chart (breakdown by type).
  • Personal data by type with risk breakdown (how many of each type appear in high/medium/low risk assets).
  • Top risky assets list (asset name, total hits, highest risk, personal data types present).
  • File type breakdown (which extensions contain the most personal data).

AI Executive Summary

Generate a stakeholder-ready narrative summary of your risk profile. The AI receives only aggregate metrics — no raw personal data, no file contents, no identity values.

  • Sends only aggregate-only data to the AI.
  • Rate limited at the workspace level (monthly quota, depends on tier).
  • Viewers can view existing summaries but cannot generate new ones.
  • Downloadable as part of the report.

Report Export

Reports can be exported as HTML and include risk profile, personal data distribution, top risky assets, and upload/time filters.

Exposures

Exposures Page /exposures

The Exposures page lists all detected findings (personal data exposures) across all scanned uploads. Use it to triage and track the resolution of individual findings.

Requires Admin or Analyst role — Viewers are redirected to /forbidden.
  • Cursor-based pagination (15 items per page) for performance with large datasets.
  • Filters: Search by file path, risk band (high/medium/low/all), status (active/resolved/all), upload scope.
  • Each row shows: file path, personal data types found, risk band, status, creation date, upload source.

Finding Detail Page /exposures/[id]

Detailed view of a single finding showing risk band, exposure type, status, creation date, evidence (masked), examined bytes, personal data types with counts, asset info, and source info.

  • Status management: Admin and Analyst can change finding status between active and resolved_removed.
  • Identity hits viewer: shows all identity hits for the asset, with override management (Admin/Analyst can mark hits as IGNORED for false positives).

Finding Statuses

StatusDescription
activeCurrently relevant, appears in dashboards and reports.
supersededReplaced by a newer scan of the same asset.
resolved_removedManually resolved by an Admin/Analyst (can be reverted).

Discovery Tool (DSAR Search)

What the Discovery Tool Does

The Discovery Tool locates all personal data related to a specific data subject across all scanned uploads. Designed for DSAR (Data Subject Access Request) fulfilment under GDPR Article 15, it supports searching by any of the 11 detected identifier types.

How to Search

Start with one strong identifier — an email address or phone number works best. You can add up to 9 identifiers per DSAR bundle for multi-identifier search.

  • Search is performed against HMAC-SHA256 hashes — the system never sees the raw value in transit.
  • Results show matched identity hits with: source file, location (asset path), match type, confidence level, risk level, upload name, and masked evidence snippets.
Phone number tips: Include country code (+44 for UK). Sylure also performs fuzzy matching on last 6 digits (NSN6) and full digit string.
Postcode tips: Enter without spaces (e.g. SW1A1AA). Sylure also matches on outward district (domain hash).

Search Result Details

Each hit includes:

  • Source — Upload name and file path.
  • Match type — The identifier type that matched (email, phone, name, etc.).
  • Confidenceexact_email, exact_phone, exact_name, exact_dob, exact_postcode, exact_address, exact_iban, exact_nino, exact_bank_pair, exact_card, possible_phone_last6, or other.
  • Risk level — LOW, MEDIUM, HIGH, or UNKNOWN.
  • Evidence — Masked snippet showing the context where the data was found.

DSAR Exports

Requires Admin or Analyst role.
  • Export formats: Excel (.xlsx) and JSON.
  • Exports include: structured results, masked evidence snippets, asset locations, upload references.
  • Monthly export quota: Starter/Partner = 30/month; Professional = 90/month; Enterprise = unlimited.
  • Quota is tracked at the organisation level and resets on billing cycle anniversary.

AI Discovery Draft

Generate an AI-drafted DSAR response letter based on the discovery results. Uses aggregate discovery data — no raw personal data is sent to the AI.

  • Daily rate limit at the workspace level with cooldown between runs.
  • Monthly quota: Starter/Partner = 30/month; Professional = 90/month; Enterprise = unlimited.
  • Draft output for human review — always review before sending to the data subject.

Subject Profile & Journey

The Discovery Tool builds a subject profile including known identifiers, first/last seen dates, total uploads and assets where the subject appears, systems map, timeline, and risk signals.

Sources / Uploads

Sources Page /uploads

The Sources page lists all uploads for the organisation with status, size, creation date, and completion date.

  • Filters: Search by filename, status filter (All, In Progress, Completed, Failed, Expired, Deleted).
  • Cursor-based pagination with page stack navigation.
  • Auto-refresh: polls for status updates on in-progress uploads.
  • ClamAV health badge shows antivirus engine status.

Upload Detail Page /uploads/[id]

Detailed view of a single upload showing filename, status, size, storage key, creation/completion dates, error details, event timeline, scan job details, and available actions (Retry, Download raw, Delete/Purge).

Upload Lifecycle Events

EventDescription
UPLOAD_PREPAREDUpload record created.
UPLOAD_STARTEDFile transfer began.
UPLOAD_COMPLETEDFile transfer finished.
UPLOAD_DELETEDUpload soft-deleted by user.
UPLOAD_PURGEDUpload hard-purged by user.
VALIDATION_STARTEDZIP validation began.
VALIDATION_FAILEDZIP validation failed.
SECURITY_SCAN_STARTEDAntivirus scan began.
SECURITY_SCAN_FAILEDAntivirus scan detected a threat.
SCAN_ENQUEUEDScan job queued.
SCAN_STARTEDDetection engine started.
SCAN_COMPLETEDDetection engine finished.
SCAN_FAILEDDetection engine error.
ANALYTICS_STARTEDAnalytics materialisation started.
ANALYTICS_COMPLETEDAnalytics materialisation finished.
UPLOAD_EXPIREDPrepared but not completed within 24 hours.

Settings & Workspace Management

Overview

Admin-only page for workspace management, accessed via the sidebar. Uses a tabbed interface.

Organisation Settings

View organisation name, data region (e.g. eu-west-2), and retention configuration.

  • Retention policy: raw bundles retained for 30 days (configurable via S3 lifecycle).
  • Storage info: where raw files are stored, lifecycle policy source.

Member Management

Admin only — invite, edit, and manage workspace members.
  • Add new members with email + role assignment.
  • Edit existing members: change role, deactivate/reactivate, force password reset.
  • Roles: ADMIN, ANALYST, VIEWER (see Roles & Permissions section).
  • Account lockout: after too many failed login attempts, account is temporarily locked.

Retention & Deletion

Manage data lifecycle through soft delete (grace period) and hard purge (immediate irreversible deletion). All derived outputs are cascade-deleted: findings, assets, identity hits, discovery evidence, cached analytics, and AI explainer caches.

  • View scheduled deletions and recent purges.
  • Grace period is configurable.
  • Deletion counts: scheduled for deletion, purged in last 30 days.

Audit Log

A chronological, tamper-evident log of all audited actions in the workspace. Each entry records timestamp, actor, action, outcome (SUCCESS/FAILURE/DENIED), target, IP address, user agent, path, and method.

  • Tracked events: Authentication (login success/failure), exports, raw bundle downloads, member/role changes, upload lifecycle events, DSAR searches, AI feature usage.
  • Exportable as Excel (Admin only).
  • Metadata field contains additional structured context (never includes secrets).

Support Form

In-app support request form, accessible from Settings.

Architecture & Infrastructure

Sylure runs entirely within AWS eu-west-2 (London). The architecture is designed for security isolation, with separate layers for edge routing, application logic, and data storage.

All data stays in the UK (eu-west-2). No personal data leaves the region.

System Architecture

Requests flow from the browser through Cloudflare's WAF and CDN, into an Application Load Balancer, and into ECS Fargate containers running the Next.js application. ClamAV runs as a sidecar container for antivirus scanning. Data is stored in Neon (managed PostgreSQL), S3 for raw bundles, and SSM Parameter Store for secrets.

System Architecture

Browser → Cloudflare → ALB → ECS Fargate → Data Stores.

Architecture
EdgeComputeData StoresBrowserCloudflareALBApp (ECS)ClamAVNeon (PG)S3 StorageSSM Secrets

Upload & Scan Pipeline

The upload pipeline starts client-side with SHA-256 integrity hashing, proceeds through presigned S3 multipart upload, then flows through validation, ClamAV scanning, PII detection, and analytics materialisation.

Upload Pipeline

Browser → API → S3 → Queue → Scanner → Database.

Architecture
ClientServer PipelineOutputClient HashAPI PrepareS3 UploadScan QueueValidate ZIPClamAV ScanPII DetectionMaterialiseComplete

Deployment Pipeline

Code pushed to the main branch triggers GitHub Actions for linting, testing, and Docker image build. The image is pushed to ECR and deployed to ECS Fargate via rolling update.

Deployment Pipeline

GitHub → Actions → ECR → ECS.

Architecture
SourceCI / CDDeployGitHubLint + TestDocker BuildECR PushECS Deploy

Data Security Model

Security is enforced across three layers: TLS and WAF at the browser layer, authentication and RBAC at the application layer, and HMAC hashing with encryption at rest at the data layer.

Data Security Model

Three-layer security: browser, application, and data layers.

Architecture
Browser LayerApp LayerData LayerTLS / HTTPSWAF + Rate LimitAuth + SessionsRBACAudit LogHMAC HashingEvidence MaskingEncryption at Rest

Roles & Permissions

Sylure uses role-based access control with three roles: Admin, Analyst, and Viewer. Each role grants a specific set of capabilities following the principle of least privilege.

Role Matrix

CapabilityAdminAnalystViewer
Upload bundlesCreate, retry, download raw, delete/purgeView onlyHidden
Findings (Exposures)View, filter, change status, manage overridesView, filter, change status, manage overridesHidden
Discovery ToolSearch, export, AI draftsSearch, export, AI draftsHidden
Analytics / ReportsFull access, generate AI summaries, downloadFull access, generate AI summaries, downloadView only (no generate/export)
SettingsFull access — workspace, members, audit, retentionHidden / restrictedHidden
Help CentreFull accessFull accessFull access
DashboardFull accessFull accessView only

Why Buttons May Be Disabled

Two reasons:

  1. Role doesn’t permit the action.
  2. Organisation-wide quota has been reached. Quota resets on billing cycle anniversary.

Security & Trust

Security is foundational to Sylure. Every layer of the platform — from upload through storage to deletion — is designed to protect personal data and maintain audit-ready compliance. See the Data Security Model diagram for a visual overview of how these controls are layered.

Data Security

Raw personal data values are never stored. All identity values are hashed with HMAC-SHA256 using a per-installation secret key.
  • Hashing: All personal data values are stored as HMAC-SHA256 hashes, not raw text. The hash secret is per-installation.
  • Evidence masking: All evidence snippets are masked by default in UI and exports. Masking functions exist for every personal data type.
  • Antivirus: Every uploaded bundle is scanned by ClamAV before processing.
  • ZIP validation: Magic byte verification, size limits (3 GB compressed, 20 GB uncompressed), ZIP bomb protection, file count limits (100,000).
  • Multi-tenant isolation: All data is scoped to an organisation via orgId. Database queries always filter by org.
  • Session security: Sessions use 48-byte random hex tokens, stored in PostgreSQL. Default TTL: 8 hours (30 days with "remember me"). Sessions are validated on every request.
  • Password security: Passwords are hashed using scrypt with random 16-byte salt. Timing-safe comparison to prevent timing attacks.
  • Account lockout: Failed login attempts are tracked. Accounts are temporarily locked after too many failures.
  • Rate limiting: Login attempts are rate-limited by IP, email, and IP+email combination. Database-backed rate limiter.
  • CSRF protection: Session cookie with secure attributes.
  • Input validation: All user inputs are sanitised for PostgreSQL storage (null bytes removed, surrogate pairs stripped, length limits enforced).

Storage & Region

All data is stored in AWS eu-west-2 (London). No personal data leaves the UK.
  • Raw bundles stored in AWS S3, region eu-west-2 (London).
  • S3 lifecycle policies enforce automatic deletion after configured retention period.
  • Multipart upload support with presigned URLs for direct S3 transfer.

Audit Trail

Every significant action creates an audit log entry with actor, action, outcome, target, IP, user agent, and structured metadata. The audit trail is tamper-evident and exportable as Excel for compliance reviews.

  • Outcomes: SUCCESS, FAILURE, DENIED.
  • Exportable as Excel for compliance audits.

Retention & Deletion

Sylure implements a two-layer deletion model: product-level (soft delete + purge) and storage-level (S3 lifecycle backstop).

  • Raw bundle lifecycle: configurable retention (default 30 days via S3 lifecycle).
  • Derived data retention: user-controlled (persists until user deletes).
  • Prepared but unscanned uploads expire after 24 hours.
  • Deletion cascade: raw file → findings → assets → identity hits → analytics summaries → AI caches.

AI Features

Overview

Sylure uses AI (powered by Claude, Anthropic) for two features: Dashboard/Analytics explainers and DSAR response drafts. The AI integration is designed with a privacy-first approach — only aggregate, statistical data is ever sent to the model.

Privacy-first AI: No raw personal data, no file contents, and no identity values are sent to the AI. Only aggregate metrics and statistical summaries.

All AI output is labelled as "draft output for human review".

AI Explainers (Dashboard & Reports)

AI-powered explanations are available in four contexts:

  • Dashboard Risk Tiles — Explains the risk profile metrics (total findings, risk mix, trend direction).
  • Top Risky Assets — Explains which assets are driving risk and why.
  • Personal Data by Type — Explains the distribution of personal data types and their risk implications.
  • Reports Executive Summary — Full narrative summary including overview, top assets, risk distribution, personal data by type, personal data by file type.

AI Discovery Draft

Generates a DSAR response letter based on discovery results, including a summary of data found, systems/uploads where data appears, and risk assessment. Subject to daily rate limits per workspace with cooldown between runs.

Quotas & Limits

  • AI features consume organisation-level monthly quotas.
  • Quotas reset on billing cycle anniversary.
  • Daily caps prevent runaway usage.
  • Cooldown periods prevent accidental re-runs.
  • Viewers cannot generate AI content (can only view cached results).
  • Quota indicator shown in the UI when approaching or at limit.

Caching

AI explanations are cached per organisation, scoped by context type, range, and upload scope. The "Show" operation returns the cached result without consuming quota, while "Generate" forces a new generation and overwrites the cache.

  • Cache key: orgId + scopeKey (includes context type, range key, upload scope).

Pricing & Quotas

Sylure offers four pricing tiers designed to scale from small consultancies to large enterprises. All tiers include the full platform — the difference is capacity, quotas, and support level.

Pricing Tiers

PartnerStarterProfessionalEnterprise
Monthly price£299/mo£499/mo£749/mo£1500–£3000/mo
Annual priceMonthly only£4,990/yr£8,990/yrCustom
Uploads/month10 GB10 GB50 GBUnlimited
Workspaces113Unlimited
User accounts3310Unlimited
DSAR exports/mo303090Unlimited
AI drafts/mo303090Unlimited
AI reports/mo3030100Unlimited
Support SLA48hr48hr24hrDedicated

Add-ons: Extra user = £30/month · Extra storage = £10/GB

Feature Comparison by Tier

Capacity

FeaturePartnerStarterProfessionalEnterprise
Monthly uploads10 GB10 GB50 GBUnlimited
Workspaces113Unlimited
User accounts3310Unlimited

AI Features

FeaturePartnerStarterProfessionalEnterprise
DSAR AI drafting30/mo30/mo90/moUnlimited
AI reports30/mo30/mo100/moUnlimited

Exports

FeaturePartnerStarterProfessionalEnterprise
Monthly DSAR exports303090Unlimited
Export formatsJSON, CSVJSON, CSVJSON, CSVJSON, CSV

Security

FeaturePartnerStarterProfessionalEnterprise
Evidence masking
RBAC + audit log
DPA negotiation

Support

FeaturePartnerStarterProfessionalEnterprise
Support SLA48hr48hr24hrDedicated
Onboarding call
Security questionnaires

Frequently Asked Questions

Only Admin users can upload. Ask your Admin.

Large ZIPs (up to 3 GB) take time. The pipeline runs asynchronously. Check the upload detail page for progress.

Some files were skipped (password-protected, corrupt, unsupported format). This doesn’t prevent the rest of the bundle from being analysed.

Check format (phone needs +44 country code, email is case-insensitive). The file may have been skipped or the format not recognised.

Either your role doesn’t permit it (Viewers can’t generate) or the monthly quota has been reached. Quota resets on billing cycle anniversary.

Yes, findings can be moved back to “active”. Status is for triage tracking, not a permanent lock.

Soft delete = grace period (default 7 days). Hard purge = immediate. Both remove the raw file + all derived outputs.

Yes. HMAC-SHA256 hashes only (no raw values stored). Antivirus scanning. Org-level isolation. Full audit trail.

CSV, TXT, JSON, LOG, HTML, XML, EML, PDF, DOCX, XLSX.

Based on personal data sensitivity weights, combination bonuses, diversity bonuses, and volume scaling. See the Risk Scoring section above.

Yes, Admin users can export as Excel from Settings.

11 types across 5 GDPR categories: email, phone, name, DOB, postcode, address, IBAN, NINO, bank details, card number, card expiry.

Raw bundles are stored encrypted in S3 (eu-west-2) for the retention period (default 30 days), then automatically deleted. Only Admins can download raw bundles.

Contact support to discuss data export and deletion.

The current product is accessed via the web application. API access may be available for Enterprise tier customers.

Navigation Reference

Sidebar Navigation (Authenticated App)

PagePathDescription
Dashboard/overviewRisk overview, attention queue, AI explainers.
Analytics/analyticsDetailed reports, charts, AI executive summaries.
Sources/uploadsUpload bundles, view scan status, manage uploads.
Exposures/exposuresBrowse and triage personal data findings.
Discovery Tool/dsar-searchDSAR subject search, evidence export, AI drafts.
Settings/settingsWorkspace, members, audit logs, retention (Admin only).
Help/help-centerIn-app guides, FAQ, glossary.

Marketing Site Pages

PagePath
Homepage/
Platform/platform
Solutions/solutions
Resources/resources
Pricing/pricing
Security / Trust Centre/security
Contact/contact
About/about
Documentation/document

Support & Contact

Sylure provides tiered support based on your pricing plan. All tiers include an onboarding call to help you get started, and in-app support is always accessible from the Settings page.

  • Email: sylure@sylure.com
  • Support SLA depends on pricing tier (48hr for Starter/Partner, 24hr for Professional, Dedicated for Enterprise).
  • All tiers include an onboarding call.
  • Enterprise tier includes security questionnaire support and DPA negotiation.
  • In-app support form available from Settings page.
  • Feedback: Use thumbs up/down on any page.