SyntrixOne is in closed beta. Live platform status: syntrixone.com/status
SyntrixOne
Security

Security built into every request

Tenant isolation, workspace approval, trial gating and rate limits are enforced server-side — not as feature flags. We test them in CI.

Tenant isolation

Every API resolves a workspaceId and verifies membership before any read or write. Cross-workspace requests return 403 — no data leaks across tenants.

Role-based access (RBAC)

Owner / admin / agent roles with granular permissions. Settings, billing, team invites and approvals follow the principle of least privilege.

Workspace approval

Every new workspace requires manual admin approval before any writes. Pending, rejected and suspended states return 403 server-side.

Invite-only beta

Workspace creation requires a closed-beta invite code (CLOSED_BETA_INVITE_CODE). One workspace per user during the beta.

Trial enforcement

14-day trial enforced both client-side (banner + soft redirect) and server-side (HTTP 402 on writes). Read endpoints continue working.

Audit logs

Append-only audit trail for sensitive admin actions — workspace approval, role changes, MFA toggles, billing events.

Rate limiting

Mongo-backed sliding-window limits on register, forgot password and verification resends — with TTL auto-expiry.

Disposable email blocking

A curated 15-domain disposable-email block-list rejects throwaway addresses at registration.

Encrypted credentials

Channel credentials (Telegram, WhatsApp, Resend) are masked in API responses and never returned to the UI.

Email verification

Every account verifies email before any write. Verification emails sent via Resend with a workspace-level fallback.

Approval workflow

New workspaces enter pending_approval. Admins approve, reject or suspend via /admin/workspaces. State transitions are audited.

TOTP MFA

Time-based one-time passwords with backup recovery codes — manage in /settings/security.

Defense in depth

The gate chain protecting every write

Email verification → cross-workspace membership → approval gate → trial gate → handler. If any gate fails, your data stays safe.

POST /api/crm/contacts
  | enforce email verification         → 403 if unverified
  | cross-workspace membership check   → 403 if not a member
  | enforceApprovalGate()               → 403 workspace_pending_approval
  |                                     → 403 workspace_rejected
  |                                     → 403 workspace_suspended
  | enforceTrialGate()                  → 402 trial_expired
  | route business logic                → 200 OK
Roadmap

Future compliance

We don’t claim certifications we don’t hold. Here is what we are actively pursuing.

SOC 2 Type II

Audit kickoff after we hit public-beta scale.

SSO (SAML & OIDC)

Enterprise tier first — Okta, Google Workspace, Azure AD.

HIPAA

Healthcare-tier BAA when our compliance program matures.

GDPR DPA

Available today for EU customers — see /legal/dpa.

ISO 27001

Planned alongside SOC 2.

Penetration tests

Yearly third-party tests, rolling-fix policy.

Have a security question?

Our team responds to security inquiries within one business day.