Sylure

Trust centre.

Procurement-ready security controls backed by the implementation, not marketing claims.

Last updated: 12 April 2026

UK (eu-west-2)

Data residency

AES-256-GCM

Encryption at rest

HMAC-SHA256

PII indexing

RBAC

Access model

Customer-controlled

Data deletion

01
Where is my data?

UK data residency

All Sylure infrastructure runs in the UK on AWS London (eu-west-2). Customer uploads, scan results, identity hashes and audit logs are stored in UK data centres. Sylure Ltd is a UK company with no US corporate parent, so customer data is not subject to the US CLOUD Act.

AI provider transparency

Sylure uses OpenAI to generate upload summaries and DSAR discovery drafts. We send only aggregate metadata — counts of detected PII types, risk scores, file format breakdowns and system-level summaries. No raw personal data content (names, emails, phone numbers, financial details, NINOs) is sent to AI providers. File path metadata (e.g. folder names within uploaded archives) may be included to provide system-level context.

Sub-processors

ServicePurposeRegionData handled
AWS (S3, ECS, Secrets Manager)Hosting, storage, computeUK (eu-west-2)Customer uploads, scan results, secrets
VercelWeb application hosting, cronUK (lhr1)API requests, session data
OpenAIAI summaries and DSAR draft generationUSAggregate metadata only (counts, risk scores, file types). No raw personal data content.
Gmail SMTPTransactional email (password resets, notifications)US (Google)User email addresses
ClamAVAntivirus scanningSelf-hosted (UK)Raw file content (scanned in-memory, not stored)
02
How is it protected?

Defence in depth

Multiple layers of protection from upload through storage to deletion. Every layer is verified against the implementation.

AES-256-GCM encryption at rest

All personal data encrypted using AES-256-GCM with authenticated encryption, 12-byte random IV and PBKDF2-derived keys (100,000 iterations, SHA-256).

TLS 1.2+ in transit with HSTS

All connections secured with TLS 1.2+. HSTS enforced in production with max-age of 1 year and includeSubDomains. CSP, X-Frame-Options, CSRF protection headers applied.

HMAC-SHA256 PII indexing

PII is matched using keyed HMAC-SHA256 hashes. Raw personal data is never stored as plaintext in search indexes. DSAR queries hash the input and match against the index.

ClamAV antivirus scanning

Every upload is scanned for malware using ClamAV before processing. Infected files are rejected and quarantined. ClamAV operates in fail-open mode — if the scanner is unavailable, uploads proceed with a logged warning.

Evidence minimisation

Evidence views are masked by default in the UI and exports. Role-based permissions control who can view raw values, trigger exports and access uploaded bundles.

03
Who can access it?

Least-privilege access controls

Access is controlled through role-based permissions enforced at the API level on every route, not just the UI.

Role-based access control (RBAC)

Three roles with escalating permissions: Viewer (read-only analytics), Analyst (full product access), Admin (full access plus member and role management). Enforced on every API endpoint.

Account lockout

Accounts are locked after 5 consecutive failed login attempts for 15 minutes. Lockout is per-account. Successful login resets the counter.

Session security

Sessions use 48-byte cryptographically random tokens. Default TTL: 8 hours (30 days with “remember me”). Sessions are validated against the database on every request and revoked immediately on logout.

Password security

  • Passwords hashed using scrypt with 16-byte random salt and timing-safe comparison.
  • Password reset tokens: 48-byte random, 1-hour expiry, enumeration-resistant (always returns success regardless of account existence).
  • Must-change-password enforcement blocks all API routes until reset is complete.

Multi-tenant data segregation

Sylure is a multi-tenant platform with logical data segregation. All database queries are scoped by organisation ID at the application layer. Cross-organisation access is tested and verified to return 404 (not data leaks). Database-level Row Level Security is not currently implemented — isolation is enforced at the query and API guard layer.

04
What if something goes wrong?

Incident response and breach notification

In the event of a confirmed personal data breach affecting customer data, Sylure will notify affected customers without undue delay and within 72 hours of confirming the breach, in line with UK GDPR Article 33 requirements.

Incident response stages

  • Detection: application monitoring, error tracking and structured logging.
  • Containment: isolate affected systems and prevent further exposure.
  • Customer notification: within 72 hours of confirmation.
  • Regulator notification: where required under UK GDPR.
  • Remediation: restore normal service and apply fixes.
  • Post-incident review: lessons learned applied to the platform.
05
Evidence shared?

Audit logging and compliance evidence

All significant actions are recorded in a structured audit log. Each entry captures actor (user, role, organisation), action, outcome, target resource, IP address, user agent and structured metadata with timestamps.

18 audited event types

  • Authentication: login success, failure, rate limit, logout
  • Account: password changes, member creation, member updates, password resets
  • Uploads: prepare, complete, retry, raw upload, raw download
  • DSAR: search, export, search rate limit
  • Reports: report export

Export and retention

  • Audit logs exportable as Excel for compliance reviews.
  • Sensitive fields (passwords, tokens, secrets, API keys) are automatically stripped from log metadata.
  • String values capped at 2,000 characters to prevent log injection.

Customer data deletion

On customer request, uploaded data is soft-deleted with a configurable grace period (default: 1 hour) before permanent purge from production storage. Deletion cascades to: raw ZIP bundles (S3), scan results (assets, findings, identity hits), analytics summaries and upload events. Audit log entries are retained for compliance but contain no underlying customer content.

Available on request

  • Data Processing Agreement (DPA)
  • Security questionnaire responses
  • Sub-processor list (current version)
  • Retention and deletion policy
06
Security contact

Get in touch

For security questions, procurement reviews, or vulnerability disclosures, contact sylure@sylure.com.

Responsible disclosure

Security researchers acting in good faith and following responsible disclosure practices are welcome to report vulnerabilities to sylure@sylure.com. We will not pursue legal action against researchers who follow responsible disclosure.

Next step

Ready to see controls in action?

We'll walk through hosting, encryption, RBAC, audit logging and retention, tailored to your procurement requirements.

Book a demoPlatform overview