Security & Compliance
Rynko is built with enterprise-grade security. We understand that your documents contain sensitive business data, and we take protecting that data seriously.
Security Overview​
All API traffic encrypted in transit
Passwords & keys hashed
EU data protection compliant
Uptime SLA target
Quick Links​
- Compliance & Certifications - SOC 2, GDPR, CCPA, PCI DSS
- Data Handling & Encryption - How we protect your data
- Infrastructure & Reliability - Railway, uptime, disaster recovery
Security Principles​
Defense in Depth​
We implement multiple layers of security:
- Network Layer: WAF, DDoS protection, IP whitelisting (Enterprise)
- Application Layer: Input validation, rate limiting, CSRF protection
- Data Layer: TLS in transit, hashed credentials, access controls
- Operational Layer: Audit logging, monitoring, incident response
Least Privilege Access​
- API keys scoped to specific permissions
- Role-based access control (Owner, Admin, Member, Viewer)
- OAuth scopes limit third-party access
- No shared credentials
Data Minimization​
- We only store data necessary for the service
- Generated documents retained for 3 days
- Variable data used for generation is not stored long-term
- Logs retained for compliance then purged
Authentication Methods​
Rynko supports multiple secure authentication methods:
| Method | Use Case | Security Level |
|---|---|---|
| API Keys | Server-to-server | High (scoped permissions) |
| Personal Access Tokens (PAT) | MCP servers, CLI tools | High (SHA-256 hashed, time-limited) |
| JWT Tokens | Dashboard/web apps | High (short-lived) |
| OAuth 2.0 | Third-party integrations | High (scoped, revocable) |
| 2FA | Dashboard login | Additional layer |
Personal Access Tokens (PAT)​
Personal Access Tokens provide secure authentication for MCP servers, CLI tools, and other programmatic access where API keys are not suitable.
Key security features:
- Token format:
pat_prefix + 64 hex characters (256-bit random) - Storage: Tokens are hashed with SHA-256 before storage — the plaintext token is only shown once at creation
- Expiry: Maximum 30 days (hard cap), configurable at creation time
- Scope: User-level access — grants access to all projects and environments the user is a member of
- Tracking: Last used timestamp and IP address recorded for security auditing
- Revocation: Tokens can be revoked immediately from the dashboard
API endpoints:
POST /api/personal-access-tokens— Create a new PAT (returns plaintext once)GET /api/personal-access-tokens— List PATs (shows prefix only)DELETE /api/personal-access-tokens/:id— Revoke a PAT
Usage: Include the token in the Authorization header:
Authorization: Bearer pat_your_token_here
Reporting Security Issues​
If you discover a security vulnerability, please report it responsibly:
Email: security@rynko.dev
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information
We will acknowledge receipt within 24 hours and provide updates as we investigate.
Please do not publicly disclose security issues until we've had a chance to address them.
Security FAQ​
Is my data protected?​
Yes, we implement multiple security measures:
- In transit: All connections secured via TLS (CloudFlare)
- Credentials: Passwords, API keys, and OAuth tokens are hashed with bcrypt
- Document content: Variables are processed and not stored long-term
Where is my data stored?​
Rynko infrastructure runs on Railway in the US region. EU data residency options are planned for a future release.
Can I get a Data Processing Agreement (DPA)?​
Yes, DPAs are available for all customers. Contact support@rynko.dev to request one.
Do you process credit card data?​
No, we never handle or store credit card data directly. Payment processing is handled by a PCI DSS compliant third-party provider.
How do I report a security issue?​
Email security@rynko.dev with details of the vulnerability. We take all reports seriously and will respond within 24 hours.