At SyncBooks, security isn't an afterthought — it's foundational to everything we build. Your financial data deserves the highest level of protection, and we deliver enterprise-grade security across every layer of our platform.
AES-256 Encryption
GRA Compliant
1. Data Encryption
1.1 Encryption at Rest
All sensitive data stored in our databases is encrypted using industry-standard algorithms:
AES-256-CBC: Used for highly sensitive fields including API keys, bank account numbers, OAuth tokens, and payment credentials
bcrypt (cost factor 12): All user passwords are hashed with bcrypt — never stored in plaintext
Database-level encryption: MongoDB Atlas provides transparent storage encryption using AES-256
Backup encryption: All database backups are encrypted before storage
1.2 Encryption in Transit
TLS 1.3: All data transmitted between your browser and our servers is encrypted with TLS 1.3
HTTPS enforced: HTTP connections are automatically redirected to HTTPS
Certificate pinning: API clients validate our SSL certificate chain
Internal encryption: Service-to-service communication within our infrastructure uses mutual TLS
1.3 Key Management
Encryption keys are stored separately from the data they protect
Keys are rotated on a regular schedule
Access to key material is restricted to critical system processes only
OAuth 2.0: Google Sign-In with verified email domains
Session Management: JWT tokens with short expiry (1 hour access, 7 days refresh) and automatic rotation
Brute Force Protection: Account lockout after 5 failed attempts with progressive delays
2.2 Authorization (RBAC)
SyncBooks implements granular role-based access control (RBAC):
Owner: Full platform access, billing, user management
Admin: Organization-wide settings and all modules
Manager: Department-specific oversight with approval authority
Accountant: Financial data access without administrative privileges
Cashier: POS-only access with transaction limits
Staff: Limited access to assigned modules only
Viewer: Read-only access to reports and dashboards
Each role includes fine-grained permissions (view, create, edit, delete, approve) per module. Custom permission sets can be configured per organization.
2.3 API Security
API keys are encrypted at rest and scoped per organization
Rate limiting: 100 requests/minute for standard plans, 500/minute for enterprise
IP allowlisting available for enterprise accounts
Webhook signatures use HMAC-SHA256 for payload verification
OAuth 2.0 with PKCE for third-party application integration
3. Infrastructure Security
3.1 Cloud Hosting
Platform: Hosted on AWS and Vercel with auto-scaling and geographic redundancy
Database: MongoDB Atlas (managed) with automated failover and point-in-time recovery
CDN: Global content delivery network for fast, secure asset delivery
DDoS Protection: Automatic DDoS mitigation at the network edge
3.2 Backups & Disaster Recovery
Continuous backups: Point-in-time recovery with 7-day retention for all plans
Daily snapshots: Full database snapshots retained for 30 days
Geographic redundancy: Backups stored in separate availability zones
Recovery Time Objective (RTO): <4 hours for full recovery
Recovery Point Objective (RPO): <1 hour data loss window
Financial records retained for mandatory 7-year period
Tax calculation compliant with Ghana VAT/NHIL/GETFund/COVID-19 levy rates
Invoice numbering meets GRA sequential requirements
Audit-ready reports exportable in GRA-accepted formats
5.3 GDPR (EU General Data Protection Regulation)
While SyncBooks is not yet formally GDPR-certified, our platform is designed with GDPR principles in mind:
Standard Contractual Clauses (SCCs) for international data transfers
Right to erasure honored within 30 days (except legally required retention)
Data minimization principles applied across all features
Consent management for optional data processing
We are actively working toward full GDPR compliance certification. See "How We Plan to Achieve GDPR Compliance" below.
5.4 PCI-DSS Awareness
SyncBooks does not directly store credit card numbers. All payment processing is handled by PCI-DSS Level 1 certified payment processors (Paystack). We never have access to full card details.
6. Data Retention & Deletion
Data Type
Retention Period
Basis
Financial records
7 years
GRA Act 896
User account data
Active + 14 days post-closure
Contract
AI conversations
Until deleted / 14 days post-closure
Consent
Audit logs
2 years (active account)
Legitimate interest
Session/access logs
90 days
Security
Backups containing deleted data
14 days
Operational
When you request account deletion, non-financial data is purged within 14 days. Financial records required by law are archived securely for the statutory period, then permanently destroyed. You can export all your data at any time in CSV, JSON, Excel, or PDF formats.
7. Incident Response
SyncBooks maintains a documented incident response plan that is tested regularly:
7.1 Response Timeline
Detection: Automated monitoring detects anomalies within minutes
Triage: Security team assesses severity within 1 hour
Containment: Immediate action to isolate affected systems
Notification: Affected users notified within 72 hours of confirmed breach (as required by GDPR and Act 843)
Resolution: Root cause analysis and remediation
Post-mortem: Published incident report for significant events
7.2 Breach Notification
In the unlikely event of a data breach, we will:
Notify the Data Protection Commission of Ghana within 72 hours
Notify affected users via email and in-app notification
Provide details of what data was affected and remediation steps
Offer identity monitoring services if personal data was compromised
8. Third-Party Sub-Processors
We carefully vet all third-party services that process your data:
Provider
Purpose
Location
MongoDB Atlas
Database hosting
US / EU
AWS
Cloud infrastructure & storage
US / EU
Vercel
Application hosting & CDN
Global
OpenAI
AI processing (no model training)
US
Paystack
Payment processing (PCI-DSS L1)
Nigeria / Ghana
Redis (Upstash)
Caching & rate limiting
Global
Cloudflare Turnstile
Bot protection
Global
All sub-processors are bound by Data Processing Agreements (DPAs). We will notify you 30 days before adding new sub-processors that handle your personal data.
9. Responsible Disclosure
We welcome security researchers who help us keep SyncBooks safe. If you discover a vulnerability: