Security & Compliance

Built for organizations where ad spend is a liability

Synter runs autonomous agents on your ad accounts. That requires strict boundaries between workspaces, hard limits on what agents can do, and a complete record of every action taken. Here is how it works.

Workspace Isolation

Every customer operates in a fully isolated workspace. Data, ad account credentials, and agent activity from one workspace are never visible to another.

Workspace-scoped data access

Every query for campaigns, ad accounts, connections, and agent threads is scoped to the authenticated workspace. No request can enumerate or read data belonging to another organization.

OAuth tokens tied to workspace

Ad platform credentials (Google Ads, Meta, LinkedIn, and others) are stored and resolved per workspace. A token belonging to one workspace cannot be used by another — even by the same user across their own workspaces.

Connection ownership verified at every call

Before an OAuth token is used to execute a platform action, Synter verifies the requesting workspace is the owner of that connection. Mismatched ownership is rejected and logged.

No cross-tenant enumeration

Campaign IDs, connection IDs, and account identifiers are validated against the authenticated workspace before returning data. An unauthorized caller receives a 404 — not a permission error — to avoid confirming the existence of data in another workspace.

Access Control

Control who in your organization can view campaigns, approve agent actions, and connect ad accounts.

Role-based permissions

Every workspace member has one of three roles: Owner, Editor, or Viewer. Owners approve launches and manage workspace settings. Editors can build campaigns and review agent actions. Viewers have read-only access to campaigns and reports.

Campaign-level collaborators

Campaign access can be granted to specific users with granular permissions — distinct from their workspace role. Pending invitations do not grant access until accepted.

SSO & MFA

Enterprise workspaces can enforce SAML/OIDC single sign-on and multi-factor authentication for all members.

Approval workflows

Workspaces choose their autonomy level: agents can suggest and require human approval before executing, or execute autonomously within configured guardrails. Configurable per workspace.

Campaign Safety

Agents operate within hard constraints. These are enforced at the infrastructure layer — not by the agent itself — so they cannot be overridden by a prompt.

New campaigns always launch paused

Every campaign creation — regardless of the instruction source — is coerced to a paused state before reaching the platform API. An agent cannot launch a live campaign without an explicit activation step.

Budget hard cap

A configurable daily spend ceiling is enforced server-side before any platform API call. The agent cannot exceed this limit even if instructed to. The ceiling applies to all create and update paths.

Conversion tracking gate

Campaign launches are blocked if verified conversion tracking is not active on the workspace. This prevents spend from running without measurement in place.

Unknown operations require approval

Any action that cannot be statically classified as safe requires explicit human approval before execution, regardless of the workspace's autonomy level.

Audit Log

Every action taken by an agent or a user is recorded. Logs are immutable and include:

TimestampWhen the action occurred (UTC)

ActorAgent or authenticated user

EntityCampaign, ad group, ad, audience, or budget

ActionWhat was created, changed, or blocked

Before / AfterOriginal and resulting values

DecisionAllowed, coerced, blocked, or pending approval

Audit logs are retained for 2 years. Export as CSV or JSON for compliance reviews.

Data Privacy

No model training on your data. Model providers access your data under business API terms, where inputs are used only for the request and retained for the provider's standard abuse-monitoring window before deletion.

PII redaction. Before sending data to language models, Synter redacts emails, phone numbers, and API credentials. Models receive anonymized or aggregated inputs.

Your data stays in your warehouse. First-party conversion data remains in your connected warehouse (Snowflake, BigQuery, Databricks). Only the minimal fields needed for a specific agent task leave your environment.

US infrastructure. Synter processes and stores data on US infrastructure. EU and UK customers are covered by a Data Processing Agreement with Standard Contractual Clauses.

Compliance

SOC 2 Type II

In progress

Synter is pursuing SOC 2 Type II certification covering security, availability, and confidentiality. Controls are in place and an independent audit is underway.

GDPR

Compliant

A Data Processing Agreement (with EU Standard Contractual Clauses) is available for EU and UK customers. Data residency options and the right to erasure are supported.

CCPA

Compliant

California residents can request deletion of their personal data. Synter does not sell personal data.

Security review or vendor questionnaire?

Our team responds to security questionnaires, provides custom data processing agreements, and can arrange SSO setup or audit access.

Contact Security Team