Last updated: January 2025
2.1 Our commitment
At OffSyntax, we build and operate workflow automation that handles your business data and connects to your apps. Security is built into how we design, run, and support our platform and your workflows.
2.2 Data we handle
- We configure and run your workflows: triggers, logic, and connections to third-party services (e.g. Slack, Shopify, HubSpot, Gmail).
- Your data (e.g. emails, orders, CRM records) passes through our systems only to execute the workflows you've authorized. We do not use your business data for marketing or sell it to third parties.
- We store only what's necessary to operate, debug, and improve the service (e.g. workflow definitions, execution logs, connection metadata). Retention is limited and aligned with our Privacy Policy.
2.3 Encryption
- At rest: Workflow configurations, credentials, and stored data are encrypted using AES-256 (or equivalent industry-standard encryption).
- In transit: All data in transit is protected with TLS 1.3 (or the latest supported TLS version). We do not accept unencrypted connections for sensitive operations.
Credentials and API keys are stored encrypted and are not exposed in logs or to unauthorized personnel.
2.4 Access control and authentication
- Access to the OffSyntax dashboard and to workflow configuration is role-based. You control who in your organization has access and at what level (e.g. view-only vs. edit).
- We use strong authentication practices for our own systems. Where we support single sign-on (SSO) or multi-factor authentication (MFA), we recommend you enable them for your team.
2.5 Audit and monitoring
- We maintain audit logs for actions that affect your workflows and data (e.g. configuration changes, access events). These support troubleshooting and security reviews.
- Our systems are monitored for anomalies and incidents. We use alerts and runbooks to respond to issues in a timely manner.
2.6 Infrastructure and availability
- We run on infrastructure designed for reliability and security, with redundancy where appropriate. We target 99.9% uptime for our automation platform (subject to our SLA where applicable).
- We apply security patches and updates in line with our change management process. Critical vulnerabilities are addressed as a priority.
2.7 Third-party integrations
- Your workflows connect to third-party services (e.g. Slack, Shopify, HubSpot) via their APIs. We use OAuth 2.0 or other approved methods where available. Your data shared with those services is governed by their respective privacy and security policies.
- We select and maintain integrations with security in mind but do not control those third-party platforms. You are responsible for the security of your accounts and credentials with those services.
2.8 Compliance and certifications
- We design our practices to align with common enterprise and compliance expectations. We are SOC 2 Type II ready and can provide further information under NDA where appropriate.
- If you have specific compliance requirements (e.g. GDPR, HIPAA, industry standards), please contact us so we can discuss whether our service and data handling can support them.
2.9 Incident response and disclosure
- If we become aware of a security incident that affects your data or workflows, we will investigate, contain, and remediate in line with our incident response process. We will notify affected customers as required by law or our agreements.
- If you discover a vulnerability or potential security issue, please report it to us responsibly via Contact. We will not pursue legal action against researchers who report in good faith and follow reasonable disclosure practices.
2.10 Your responsibilities
- You are responsible for safeguarding your account (passwords, API keys, OAuth tokens). Do not share credentials or grant unnecessary access.
- You are responsible for configuring your workflows in line with your own security and privacy policies (e.g. what data you send to which apps, who has access in your organization).
2.11 Updates to this page
We may update this Security page from time to time to reflect changes in our practices or offerings. The “Last updated” date at the top will be revised when we do. Continued use of our services after changes constitutes acceptance of the updated description.
2.12 Contact
For security-related questions, compliance inquiries, or to report an issue, contact us via Contact.