• Encryption in transit: all public traffic uses TLS 1.2+ with strict transport security (HSTS) enabled.
• Encryption at rest: OAuth tokens are encrypted with Fernet using a key managed outside the application database. Database backups are encrypted by the provider.
• Authentication: session tokens are stored as SHA-256 hashes only. Sessions can be revoked individually or globally per user.
• Tenant isolation: every query is scoped to the authenticated user identifier; client-supplied identity headers are rejected outside test mode.
• Least privilege: connector OAuth scopes default to read-only (Gmail / Calendar). Write scopes are added only when a user explicitly enables them and they are gated behind the approval engine.
• Webhook integrity: Stripe and provider webhooks require valid HMAC signatures in production. Replay protection is enforced by a persistent event inbox.
• Observability: structured logging with request identifiers, error tracking with PII scrubbing, alerting on auth failure spikes and webhook signature failures.

We welcome reports from independent security researchers. If you believe you have found a vulnerability in SymaOS, please report it to security@symaos.com and allow us a reasonable time to remediate before any public disclosure.

The following are explicitly out of scope:

• Denial-of-service or volumetric testing against any endpoint.
• Social engineering of SymaOS staff, customers, or sub-processors.
• Issues that require a compromised user device or stolen credentials with no remote attack surface.
• Findings against third-party services (Stripe, Google, Microsoft); please report those to the upstream vendor.

Good-faith research conducted within the rules above will not lead to legal action from SymaOS. We will work with you, credit you on request, and keep the report confidential until a fix ships.

Security reports: security@symaos.com.
Machine-readable contact metadata is published at /.well-known/security.txt.