This page describes the posture of the Synthpop platform at a high level. For
the artifacts a formal review needs — a Business Associate Agreement (BAA), a
Data Processing Agreement (DPA), the SOC 2 report, or specifics on retention,
residency, and sub-processors — contact Synthpop. Concrete
terms live in your agreement, not in public docs.
Compliance programs
HIPAA
Synthpop is HIPAA-compliant and handles PHI under the appropriate
administrative, technical, and physical safeguards. A Business Associate
Agreement (BAA) is available — contact Synthpop to put one in place before
sending PHI in production.
SOC 2
Synthpop maintains SOC 2. If your review needs the report or details of
the audit scope, request them through your Synthpop contact.
How access is controlled
The public API enforces access at two layers: it authenticates every caller, and it scopes every response to the caller’s own organization.- Default-deny. Every endpoint requires a valid bearer token. The only
exceptions are the token-exchange endpoint (
/auth/get_token) and the documentation endpoints (/docs,/redoc,/openapi.json). A request without a valid token is rejected with401. See Authentication. - Org-scoped data isolation. Tasks, uploads, and results belong to the
organization that created them. A caller only ever sees their own
organization’s data; a request for a resource outside your organization is
answered as if it does not exist (a
404), so resource identifiers cannot be probed across tenants. - Least-exposure credentials. You exchange a long-lived API secret for a bearer token and use the token for API calls, so the secret itself is not sent on every request. See Authentication for the token lifetime and rotation.
How documents are protected
Uploaded documents are stored in private object storage and are never served from a public URL.- Short-lived download links. When you retrieve a document, Synthpop returns a presigned link that expires in 60 seconds. The link grants temporary read access to that one object and then stops working; there is no long-lived public URL to leak. Request a fresh link each time you need the file.
- Per-organization isolation. Stored objects are partitioned by organization, consistent with the org-scoping applied at the API layer.
PHI in practice
PHI flows through the API by design: it is present in the documents you upload when you create a Task and in the structured results Synthpop returns. That is expected — the point of the API is to read and validate real clinical documents. The controls above are what keep that PHI access-controlled and isolated to your organization. Your responsibility is to keep PHI on the authenticated, org-scoped paths and out of places that are not designed to hold it. For voice-driven engagement tasks, Synthpop enforces additional safeguards: reviewed conversational flows, call auditability, backend PHI isolation, and payment-data separation. See Voice security in the Patient engagement guide.Data handling, retention, and sub-processors
Specifics here are governed by your agreement rather than fixed in documentation, so this page intentionally does not quote numbers.- Retention & deletion. Data lifecycle and deletion terms are covered in your agreement. Contact Synthpop for retention details or a DPA.
- Data residency. Where data is processed and stored is addressed in your agreement; contact Synthpop if residency is a requirement for your review.
- Sub-processors. The current sub-processor list is available on request.
For any of the above — a DPA, retention schedule, residency confirmation, or
the sub-processor list — contact Synthpop. We would rather
give you the exact, current answer than have you rely on a stale figure in a
doc.
Related
Authentication
The default-deny model, token exchange, and secret rotation.
Contact & support
Request a BAA, DPA, or the SOC 2 report — and report issues safely.
FAQ
Access, environments, and how results are delivered.
API reference
Every endpoint, request shape, and response field.

