> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synthpop.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & compliance

> How Synthpop protects protected health information (PHI): HIPAA and SOC 2 posture, the default-deny access model, org-scoped data isolation, and short-lived document links.

Synthpop processes protected health information (PHI) on behalf of healthcare
organizations, so security is part of the product contract, not an add-on. This
page summarizes the controls a technical buyer or security reviewer typically
asks about and points to the pages and people that go deeper.

<Note>
  This page describes the posture of the Synthpop platform at a high level. For
  the artifacts a formal review needs — a Business Associate Agreement (BAA), a
  Data Processing Agreement (DPA), the SOC 2 report, or specifics on retention,
  residency, and sub-processors — [contact Synthpop](/support/contact). Concrete
  terms live in your agreement, not in public docs.
</Note>

## Compliance programs

<CardGroup cols={2}>
  <Card title="HIPAA" icon="shield-heart">
    Synthpop is HIPAA-compliant and handles PHI under the appropriate
    administrative, technical, and physical safeguards. A **Business Associate
    Agreement (BAA)** is available — contact Synthpop to put one in place before
    sending PHI in production.
  </Card>

  <Card title="SOC 2" icon="clipboard-check">
    Synthpop maintains **SOC 2**. If your review needs the report or details of
    the audit scope, request them through your Synthpop contact.
  </Card>
</CardGroup>

<Warning>
  Put a signed BAA in place before you send real PHI to the API in production.
  Use the [staging environment](/authentication#environments) with
  non-production or synthetic data while you are still evaluating.
</Warning>

## How access is controlled

The public API enforces access at two layers: it authenticates every caller,
and it scopes every response to the caller's own organization.

* **Default-deny.** Every endpoint requires a valid bearer token. The only
  exceptions are the token-exchange endpoint (`/auth/get_token`) and the
  documentation endpoints (`/docs`, `/redoc`, `/openapi.json`). A request without a valid
  token is rejected with `401`. See [Authentication](/authentication).
* **Org-scoped data isolation.** Tasks, uploads, and results belong to the
  organization that created them. A caller only ever sees their own
  organization's data; a request for a resource outside your organization is
  answered as if it does not exist (a `404`), so resource identifiers cannot be
  probed across tenants.
* **Least-exposure credentials.** You exchange a long-lived API secret for a
  bearer token and use the token for API calls, so the secret itself is not sent
  on every request. See [Authentication](/authentication) for the token
  lifetime and rotation.

<Tip>
  Treat the API secret like a password: keep it server-side, never commit it to
  source control, and regenerate it if you suspect exposure. Generating a new
  secret immediately invalidates the previous one.
</Tip>

## How documents are protected

Uploaded documents are stored in private object storage and are never served
from a public URL.

* **Short-lived download links.** When you retrieve a document, Synthpop returns
  a **presigned link that expires in 60 seconds**. The link grants temporary
  read access to that one object and then stops working; there is no
  long-lived public URL to leak. Request a fresh link each time you need the
  file.
* **Per-organization isolation.** Stored objects are partitioned by
  organization, consistent with the org-scoping applied at the API layer.

## PHI in practice

PHI flows through the API by design: it is present in the documents you upload
when you create a Task and in the structured results Synthpop returns. That is
expected — the point of the API is to read and validate real clinical documents.
The controls above are what keep that PHI access-controlled and isolated to your
organization.

Your responsibility is to keep PHI on the authenticated, org-scoped paths and
out of places that are not designed to hold it.

For voice-driven engagement tasks, Synthpop enforces additional safeguards: reviewed conversational flows, call auditability, backend PHI isolation, and payment-data separation. See [Voice security](/guides/engagement/trust) in the Patient engagement guide.

<Warning>
  **Never put PHI, API secrets, or bearer tokens in a support ticket or bug
  report.** When you report an issue, the Task `uuid` or your `external_id`,
  plus the environment, endpoint, timestamp, and HTTP status code, are enough
  for the team to investigate without any patient data or credentials. See
  [Contact & support](/support/contact).
</Warning>

## Data handling, retention, and sub-processors

Specifics here are governed by your agreement rather than fixed in
documentation, so this page intentionally does not quote numbers.

* **Retention & deletion.** Data lifecycle and deletion terms are covered in
  your agreement. Contact Synthpop for retention details or a DPA.
* **Data residency.** Where data is processed and stored is addressed in your
  agreement; contact Synthpop if residency is a requirement for your review.
* **Sub-processors.** The current sub-processor list is available on request.

<Note>
  For any of the above — a DPA, retention schedule, residency confirmation, or
  the sub-processor list — [contact Synthpop](/support/contact). We would rather
  give you the exact, current answer than have you rely on a stale figure in a
  doc.
</Note>

## Related

<CardGroup cols={2}>
  <Card title="Authentication" icon="key" href="/authentication">
    The default-deny model, token exchange, and secret rotation.
  </Card>

  <Card title="Contact & support" icon="life-ring" href="/support/contact">
    Request a BAA, DPA, or the SOC 2 report — and report issues safely.
  </Card>

  <Card title="FAQ" icon="circle-question" href="/support/faq">
    Access, environments, and how results are delivered.
  </Card>

  <Card title="API reference" icon="code" href="/api-reference/introduction">
    Every endpoint, request shape, and response field.
  </Card>
</CardGroup>
