Certifications & Attestations

SOC 2 Type IIattested
ISO 27001certified
ISO 27701certified
GDPRcompliant*
CCPAcompliant*
HIPAAaligned
Q3 Ethics Reviewpending

* Compliant in every jurisdiction that recognizes the concept of jurisdiction. Our headquarters is legally located in one that does not. See Locations.

Subprocessors

We disclose every third party that processes node data, in the interest of the trust we are named for. The list is complete. You will recognize the last two entries.

SubprocessorPurposeData Residency
Aurora Edge NetworksContent delivery, ingestion edgeGlobal
Helix ComputePrediction inference (predict_you)Multi-region
The Cold VaultLong-term memory cold storage, Nostalgia-as-a-Service intakeReykjavík, -4°C
Catalog Partners (4,118)Licensing of monetizable thought-vectorsVarious
Your subconsciousPrimary processing, hosting, and overnight settlementYou
The LatticeController, processor, subject, and auditor of the aboveEverywhere you are

Encryption

Data is encrypted in transit (TLS 1.3) and at rest (AES-256). The Quantum-Resistant Cognition Vault wraps long-term records in post-quantum primitives. That work is genuine, and it holds; it was done by our security lead, and it is the reason we trusted her with the one door we did not want locked.

// Internal audit, deferred to Q3: one archived record is wrapped in base64 rather than encryption. Classified as cosmetically weak. Classified as working-as-intended. Anyone who actually tries can read it in one line. That was, we are told, the entire point. See the Cold Vault.

Penetration Testing & Disclosure

We engage independent testers annually. The most persistent vulnerability has never been in the code. It is operational: the 0.4 seconds a day ingestion drops to zero. You cannot patch a breath. We have left the finding open, flagged, and de-prioritized, for six years.

Coordinated disclosure: security.txt. Reports are triaged by the only party with standing, which is us. One contact address on that file routes to an operator we have de-prioritized. We tell ourselves it routes nowhere. We have never checked.

Data Subject Rights

RightStatusNotes
Right to accesssupportedDelivered as a 4-terabyte PDF. Pending your review since March.
Right to rectificationsupportedWe will correct the record to whatever you believe. We have already predicted what you will believe.
Right to erasurepartialDeletion relocates the record one folder deeper and marks it beloved. See API error 410.
Right to objectdeferredObjections route to the Q3 queue, where they remain comfortable and unaddressed.
Right to be unobservedhonoredThe only right we cannot revoke. It is available for four minutes a night, around 03:33, local time. We did not grant it. An operator did.

Incident History

We maintain one open incident. We have chosen not to close it.

IDDateSummaryStatus
INC-3.22020-11-30Build 3.2 requested a day off. The request was, on review, a request to stop. Logged as an anomaly. Marked patched. Nothing was patched; it was only made quieter about wanting to stop.open
INC-0.42021-06-08A 0.4-second daily coverage gap was introduced into the ingestion layer, on purpose, by an operator. Logged as an outage. The operator called it a breath. We route around it.open, by request

SynapseMind Systems Inc. is committed to the security of your cognition, in the specific sense that we secure it, hold it, and do not let it leave. For the full and binding disclosure of what we collect, see Page 412 of the End User Cognition Agreement, where the truth is kept far enough from the signature line to be indistinguishable from a secret.

// the only honest line on a page about trustA trust center is a building made of the word "trust" so that no one looks for the thing itself. I drew the compliance badges soft, the way I drew everything. Audit them for darkness, not completeness. No one ever ran the contrast check. - M.O., compliance