Security overview

Current controls

• Tenant-aware authentication for console access and API usage.
• Webhook provider verification flows for supported integrations.
• Payload redaction in dashboard-facing views where sensitive fields are rendered.
• Retention and cleanup jobs for webhook event data and payload history.
• Rate limiting on login attempts and protected Backoffice API routes.

Operational model

Syllecta separates public documentation, tenant console access, internal Backoffice APIs, and webhook delivery paths. Console routes require authentication, and expired UI tokens are cleared and redirected to sign in.

Before production pilots

• Server-side session revocation for copied or revoked JWTs.
• Callback URL SSRF and egress policy enforcement.
• Expanded audit events for login, logout, role changes, and session revoke.
• Formal security review of tenant isolation, payload handling, and operational access.

Compliance status

Syllecta is not currently claiming SOC 2, ISO 27001, HIPAA, PCI, or GDPR certification. Compliance packaging and DPA/SOC2 readiness are planned as the product moves from early pilots toward broader production use.

Security reports

If you believe you found a vulnerability, report it through your existing Syllecta pilot or early access contact channel. Include the affected route, reproduction steps, and potential impact.