SyncHive

Security

Security at SyncHive

Last updated: Jun 3, 2026

SyncHive is designed to help organisations connect, exchange, route, store, and manage data between systems, applications, and data stores. Because SyncHive handles customer data flows, security, privacy, and operational resilience are core to how we design and operate the platform.

This page summarises the security practices used by Meaningful Technology Ltd trading as SyncHive to protect customer data and operate the SyncHive service.

This page should be read together with our:

1. Security overview

SyncHive uses layered security controls across hosting, access management, encryption, monitoring, backups, incident response, and supplier management.

Our security approach is based on the following principles:

  • protect customer data by design;
  • limit access to systems and data based on need;
  • encrypt data in transit and at rest;
  • monitor the service for reliability, performance, and security;
  • maintain backups for business continuity and disaster recovery;
  • use trusted infrastructure and service providers;
  • be transparent about subprocessors and hosting regions;
  • notify affected customers of confirmed security incidents involving their data;
  • continuously improve our security practices as SyncHive grows.

We are implementing an ISO 27001-aligned Information Security Management System. Certification is in progress. Until certification is complete, SyncHive does not claim to be ISO 27001 certified.

2. Data hosting and regions

SyncHive uses Amazon Web Services to host the SyncHive platform.

Customers may choose the hosting region for each Hive when the Hive is created, where region selection is available.

Current Hive hosting regions are:

RegionProvider
US West (Oregon), United StatesAmazon Web Services
Asia Pacific (Sydney), AustraliaAmazon Web Services

Customer Hive Data is hosted in the selected Hive region.

Backups and logs relating to Hive Data remain in the selected Hive region.

Workspace-level, account-level, user, billing, authentication, administrative, support, operational, and telemetry data may be hosted or processed in AWS US West (Oregon) regardless of the selected Hive region.

A Hive cannot currently be migrated to another region after it has been created. Customers are responsible for selecting the appropriate region when creating a Hive.

3. Data ownership and use

Customers retain ownership of their Customer Data.

SyncHive processes Customer Data only as needed to provide, operate, secure, support, maintain, and improve the reliability of the service, comply with law, and enforce our Terms.

SyncHive does not sell Customer Data.

SyncHive does not use Customer Data to train artificial intelligence or machine learning models.

SyncHive may collect and use logs, telemetry, usage data, token consumption data, performance data, and diagnostic information to:

  • operate the service;
  • calculate usage and billing;
  • monitor reliability and performance;
  • troubleshoot issues;
  • detect and prevent misuse;
  • investigate security incidents;
  • improve service stability and security.

SyncHive may use aggregated, anonymised, or de-identified information where it does not identify a customer, user, or individual.

4. Encryption

SyncHive encrypts data in transit and at rest.

Data transmitted to and from SyncHive is protected using industry-standard transport encryption.

Stored data and backups are encrypted at rest using cloud provider encryption capabilities.

5. Access control

SyncHive supports role-based access control at both Workspace and Hive level.

Customers are responsible for managing their own users, roles, permissions, and access decisions.

Internally, SyncHive restricts access to production systems and customer data to authorised personnel who require access for legitimate operational, security, support, or maintenance purposes.

Access is managed using individual accounts and operational access controls. SyncHive uses secrets management tools to help protect operational credentials and secrets.

6. Authentication and MFA

SyncHive supports optional multi-factor authentication.

Customers are responsible for:

  • enabling MFA where appropriate;
  • maintaining secure passwords and credentials;
  • removing access for users who no longer require it;
  • assigning appropriate Workspace and Hive permissions;
  • protecting API keys, access tokens, credentials, and integration secrets.

We strongly recommend enabling MFA for administrative users.

7. Backups and recovery

SyncHive maintains backups for disaster recovery and business continuity.

Hive backups remain in the selected Hive region.

Deleted Customer Data may remain in encrypted backups for up to 30 days after deletion from active systems, after which it expires through normal backup rotation.

Backups are not used for ordinary business purposes.

Following cancellation, termination, trial expiry, or non-payment, Customer Data may be retained for up to 90 days to allow export, reactivation, or conversion to a paid subscription, unless deleted earlier by the customer.

8. Logging and monitoring

SyncHive collects logs, telemetry, and usage data to operate, secure, monitor, troubleshoot, and improve service reliability.

Hive-related logs remain in the selected Hive region.

Logs and telemetry may be used for:

  • security monitoring;
  • performance monitoring;
  • incident investigation;
  • debugging and troubleshooting;
  • usage metering;
  • token consumption tracking;
  • service reliability improvements.

We aim to minimise customer payload data in logs, telemetry, support tickets, and community channels.

Customers should not include sensitive, regulated, payment, health, biometric, children's, government identifier, credential, or other restricted data in support tickets, emails, community channels, or informal communications unless SyncHive has expressly approved that use in writing.

9. Incident response

SyncHive maintains processes for identifying, assessing, escalating, responding to, and reviewing security incidents.

If SyncHive becomes aware of a confirmed Security Incident involving Customer Data, we will notify affected customers without undue delay and, where feasible, within 72 hours after confirmation.

Incident notifications may include information reasonably available at the time, such as:

  • the nature of the incident;
  • the data or systems affected, where known;
  • the steps taken or planned by SyncHive;
  • recommended steps for the customer;
  • contact details for follow-up.

We may provide additional updates as more information becomes available.

SyncHive generally notifies the customer organisation rather than individual authorised users, unless required by law or otherwise agreed.

10. Subprocessors

SyncHive uses selected third-party service providers to host, secure, support, maintain, and operate the service.

Our key service providers include providers for:

  • cloud hosting;
  • authentication;
  • databases;
  • compute infrastructure;
  • support ticketing;
  • email and collaboration;
  • network security;
  • DNS and traffic protection;
  • password and secrets management;
  • community communication.

We maintain a public Subprocessor List that describes our material subprocessors, their purpose, the data they may process, and relevant processing locations.

We notify customers of material subprocessor changes by email.

Where reasonably practicable, we provide at least 14 days' notice before authorising a new material subprocessor to process Customer Personal Data.

11. Privacy and data protection

SyncHive is operated by a New Zealand company and is designed to support obligations under the New Zealand Privacy Act 2020, Australian privacy requirements, and GDPR-style processor obligations where applicable.

Where SyncHive processes personal information or personal data on behalf of a customer, the SyncHive Data Processing Addendum applies.

Customers are responsible for determining whether their use of SyncHive complies with the privacy, data protection, employment, consumer, financial, sector-specific, and other laws that apply to them.

SyncHive does not claim that the service is suitable for every privacy regime, regulated sector, country, data type, or high-risk use case unless expressly agreed in writing.

12. Restricted data and high-risk use

Customers must not use SyncHive to process sensitive, regulated, payment, health, biometric, children's, government identifier, credential, or other restricted data unless SyncHive has expressly approved that use in writing.

Restricted data includes:

  • raw payment card data;
  • card verification codes;
  • bank account credentials;
  • health information or patient records;
  • biometric data;
  • children's personal information;
  • government-issued identifiers;
  • passwords, API keys, private keys, access tokens, or similar secrets, except through approved configuration or secrets-management features;
  • data subject to PCI DSS, HIPAA, or similar sector-specific requirements;
  • sensitive personal information or special category personal data.

Customers must also not use SyncHive for high-risk use cases such as critical infrastructure, emergency response, safety-of-life systems, surveillance, law enforcement, employment decisions, credit or insurance decisions, or similar use cases unless expressly approved in writing.

13. Secure development and change management

SyncHive follows controlled development and deployment practices.

Our development and operational practices include:

  • source code managed in private repositories;
  • controlled deployment processes;
  • separation between production and non-production hives;
  • non-production hives may receive updates earlier than production hives;
  • operational review of changes before production release;
  • monitoring after release;
  • issue tracking and remediation processes.

Security and reliability are considered as part of product development, infrastructure changes, and operational improvements.

14. Supplier and vendor management

SyncHive uses selected suppliers to provide and operate the service.

We assess material suppliers based on their role, the type of data they may process, the purpose of processing, and their relevance to SyncHive's security, privacy, and operational requirements.

Material subprocessors are listed in our Subprocessor List.

Where suppliers process Customer Personal Data on our behalf, we aim to ensure appropriate contractual, security, and confidentiality protections are in place.

15. Customer security responsibilities

Security is a shared responsibility.

Customers are responsible for:

  • managing Workspace and Hive users;
  • assigning appropriate roles and permissions;
  • enabling MFA where appropriate;
  • protecting passwords, API keys, access tokens, and credentials;
  • removing users who no longer need access;
  • configuring integrations securely;
  • maintaining third-party system permissions;
  • ensuring connected systems are secure;
  • ensuring they have the right to process data through SyncHive;
  • not uploading restricted data without written approval;
  • monitoring usage, errors, outputs, and data flows;
  • validating that SyncHive is suitable for their intended use.

Customers should promptly notify SyncHive of suspected misuse, unauthorised access, security concerns, or potential vulnerabilities.

16. Vulnerability reporting

If you believe you have found a security vulnerability in SyncHive, please contact us promptly at:

privacy@synchive.com

Please include enough detail for us to understand and investigate the issue.

Do not:

  • access, modify, delete, or disclose data that does not belong to you;
  • disrupt or degrade SyncHive or third-party systems;
  • perform denial-of-service testing;
  • use automated scanning, load testing, or intrusive testing without prior written approval;
  • publicly disclose a vulnerability before we have had a reasonable opportunity to investigate and address it.

We may publish a separate vulnerability disclosure policy in the future.

17. Contact

For privacy or security questions, contact:

Meaningful Technology Ltd trading as SyncHive
Level 2, 110 Symonds Street
Grafton, Auckland 1010
New Zealand
Email: privacy@synchive.com

For general product support, use the support channels available within SyncHive or contact:

support@synchive.com

18. Changes to this page

We may update this page from time to time to reflect changes to our security practices, suppliers, infrastructure, legal documents, or product functionality.

If a change materially affects the way SyncHive protects or processes Customer Data, we will provide notice where required by our Terms of Service, Data Processing Addendum, or applicable law.

SyncHive Subprocessor List

Last updated: Jun 3, 2026

This Subprocessor List explains the third-party service providers used by Meaningful Technology Ltd trading as SyncHive to provide, secure, support, maintain, and operate SyncHive.

This list forms part of the SyncHive Data Processing Addendum.

In this document:

  • "SyncHive", "we", "us", and "our" mean Meaningful Technology Ltd trading as SyncHive.
  • "Customer" means the organisation that uses SyncHive.
  • "Customer Data" has the meaning given in the SyncHive Terms of Service.
  • "Customer Personal Data" means personal information or personal data contained in Customer Data that SyncHive processes on behalf of a Customer.
  • "Subprocessor" means a third party engaged by SyncHive to process Customer Personal Data on behalf of SyncHive in connection with the SyncHive service.

Data hosting regions

SyncHive uses Amazon Web Services to host the SyncHive platform.

Customers may choose from the following Hive data hosting regions, where region selection is available:

RegionProvider
US West (Oregon), United StatesAmazon Web Services
Asia Pacific (Sydney), AustraliaAmazon Web Services

Customer Hive Data is hosted in the region selected by the Customer.

Backups and logs relating to Hive Data remain in the selected Hive region.

Workspace-level, account-level, user, billing, authentication, administrative, support, operational, and telemetry data may be hosted or processed in AWS US West (Oregon) regardless of the selected Hive hosting region.

Current subprocessors and key service providers

Subprocessor / service providerProduct or servicePurposeData processedProcessing location
Amazon Web Services, Inc.AWS Cognito, AWS RDS, AWS ECS, and related AWS infrastructure servicesCloud hosting, authentication, compute, databases, storage, backups, logs, and production infrastructureCustomer Data, Hive Data, Workspace Data, Account Data, Usage Data, logs, authentication data, operational dataCustomer-selected Hive region for Hive Data: US West (Oregon) or Asia Pacific (Sydney). Workspace/account-level data may be processed in US West (Oregon). AWS may also process limited operational/support data in other locations as described in AWS terms.
StripeStripe payments / billing infrastructurePayment processing, payment method tokenization, billing, fraud prevention, dispute handling, payment reporting, and related payment support servicesCustomer and payment-related data, including name, email address, billing details, transaction details, payment method information/tokenized payment data, payment status, refund/dispute details, and related metadataNew Zealand account contracting via Stripe New Zealand Limited; personal data may be processed by Stripe LLC in the United States and by Stripe affiliates and sub-processors globally
Atlassian Pty Ltd / Atlassian group companiesBitbucket, ConfluenceSource code repositories, internal documentation, engineering collaboration, operational documentationOperational Data, limited Support Data or Account Data where included in internal records. Generally not Customer Data unless provided in support or operational recordsLocations used by Atlassian for its cloud services
Google LLC / Google group companiesGoogle WorkspaceEmail, calendar, documents, collaboration, business administrationAccount Data, communications, support-related information, operational documentsLocations used by Google for Google Workspace services
Freshworks Inc. / Freshworks group companiesFreshdeskCustomer support, ticketing, incident requests, access requests, change requestsAccount Data, Support Data, incident/request information, customer-provided support contentLocations used by Freshworks for Freshdesk services
AgileBits Inc. / 1Password1PasswordPassword management and secrets management for SyncHive personnel and operationsOperational credentials and secrets used to operate SyncHive. Generally not Customer DataLocations used by 1Password for its cloud services
Cloudflare, Inc.CloudflareDNS, network security, CDN, traffic routing, DDoS protection, web application protectionIP addresses, request metadata, security logs, limited Usage DataLocations used by Cloudflare's global network
Discord Inc.DiscordCommunity communication, user discussion, announcements, and informal support/community interactionUser-provided community profile information, messages, communications, and support/community content where users interact through DiscordLocations used by Discord for its services

Notes on data categories

Not every listed provider processes all categories of Customer Data.

For example:

  • AWS is the primary hosting provider and may process Customer Data and Hive Data.
  • Freshdesk may process Support Data if a Customer includes information in a support request.
  • Google Workspace may process communications and operational documents.
  • 1Password is used for operational secrets management and should not generally process Customer Data.
  • Discord is used for community and communication purposes. Customers should not share Customer Data, Restricted Data, credentials, secrets, or production incident details through Discord unless SyncHive expressly provides an approved process for doing so.

Customers should not include sensitive, regulated, payment, health, biometric, children's, government identifier, credential, or other Restricted Data in support tickets, community channels, emails, or other communications unless SyncHive has expressly approved that use in writing.

Subprocessor updates

SyncHive may update this Subprocessor List from time to time.

Where reasonably practicable, SyncHive will provide at least 14 days' notice before authorising a new material subprocessor to process Customer Personal Data.

SyncHive will notify Customers of material subprocessor changes by email.

Customers may object to a new material subprocessor within 14 days of notice by contacting SyncHive at:

privacy@synchive.com

An objection must explain the Customer's reasonable data protection grounds for objection.

SyncHive will use reasonable efforts to address the objection. If SyncHive cannot reasonably resolve the objection, the Customer may stop using the affected part of the service or terminate its subscription in accordance with the SyncHive Terms of Service and Data Processing Addendum.

SyncHive may engage or replace a subprocessor without advance notice where reasonably necessary to address a security, availability, legal, operational, or service-continuity emergency, provided that SyncHive notifies affected Customers as soon as reasonably practicable afterwards.

Contact

Questions about this Subprocessor List may be sent to:

Meaningful Technology Ltd trading as SyncHive
Level 2, 110 Symonds Street
Grafton, Auckland 1010
New Zealand
Email: privacy@synchive.com