Skip to main content
Synthpop processes protected health information (PHI) on behalf of healthcare organizations, so security is part of the product contract, not an add-on. This page summarizes the controls a technical buyer or security reviewer typically asks about and points to the pages and people that go deeper.
This page describes the posture of the Synthpop platform at a high level. For the artifacts a formal review needs — a Business Associate Agreement (BAA), a Data Processing Agreement (DPA), the SOC 2 report, or specifics on retention, residency, and sub-processors — contact Synthpop. Concrete terms live in your agreement, not in public docs.

Compliance programs

HIPAA

Synthpop is HIPAA-compliant and handles PHI under the appropriate administrative, technical, and physical safeguards. A Business Associate Agreement (BAA) is available — contact Synthpop to put one in place before sending PHI in production.

SOC 2

Synthpop maintains SOC 2. If your review needs the report or details of the audit scope, request them through your Synthpop contact.
Put a signed BAA in place before you send real PHI to the API in production. Use the staging environment with non-production or synthetic data while you are still evaluating.

How access is controlled

The public API enforces access at two layers: it authenticates every caller, and it scopes every response to the caller’s own organization.
  • Default-deny. Every endpoint requires a valid bearer token. The only exceptions are the token-exchange endpoint (/auth/get_token) and the documentation endpoints (/docs, /redoc, /openapi.json). A request without a valid token is rejected with 401. See Authentication.
  • Org-scoped data isolation. Tasks, uploads, and results belong to the organization that created them. A caller only ever sees their own organization’s data; a request for a resource outside your organization is answered as if it does not exist (a 404), so resource identifiers cannot be probed across tenants.
  • Least-exposure credentials. You exchange a long-lived API secret for a bearer token and use the token for API calls, so the secret itself is not sent on every request. See Authentication for the token lifetime and rotation.
Treat the API secret like a password: keep it server-side, never commit it to source control, and regenerate it if you suspect exposure. Generating a new secret immediately invalidates the previous one.

How documents are protected

Uploaded documents are stored in private object storage and are never served from a public URL.
  • Short-lived download links. When you retrieve a document, Synthpop returns a presigned link that expires in 60 seconds. The link grants temporary read access to that one object and then stops working; there is no long-lived public URL to leak. Request a fresh link each time you need the file.
  • Per-organization isolation. Stored objects are partitioned by organization, consistent with the org-scoping applied at the API layer.

PHI in practice

PHI flows through the API by design: it is present in the documents you upload when you create a Task and in the structured results Synthpop returns. That is expected — the point of the API is to read and validate real clinical documents. The controls above are what keep that PHI access-controlled and isolated to your organization. Your responsibility is to keep PHI on the authenticated, org-scoped paths and out of places that are not designed to hold it. For voice-driven engagement tasks, Synthpop enforces additional safeguards: reviewed conversational flows, call auditability, backend PHI isolation, and payment-data separation. See Voice security in the Patient engagement guide.
Never put PHI, API secrets, or bearer tokens in a support ticket or bug report. When you report an issue, the Task uuid or your external_id, plus the environment, endpoint, timestamp, and HTTP status code, are enough for the team to investigate without any patient data or credentials. See Contact & support.

Data handling, retention, and sub-processors

Specifics here are governed by your agreement rather than fixed in documentation, so this page intentionally does not quote numbers.
  • Retention & deletion. Data lifecycle and deletion terms are covered in your agreement. Contact Synthpop for retention details or a DPA.
  • Data residency. Where data is processed and stored is addressed in your agreement; contact Synthpop if residency is a requirement for your review.
  • Sub-processors. The current sub-processor list is available on request.
For any of the above — a DPA, retention schedule, residency confirmation, or the sub-processor list — contact Synthpop. We would rather give you the exact, current answer than have you rely on a stale figure in a doc.

Authentication

The default-deny model, token exchange, and secret rotation.

Contact & support

Request a BAA, DPA, or the SOC 2 report — and report issues safely.

FAQ

Access, environments, and how results are delivered.

API reference

Every endpoint, request shape, and response field.