We treat data protection and privacy with the utmost importance. We apply stringent privacy and protection measures at application architecture level, right through to business process and policy level to secure and safeguard your data, and that of your clients.

Synnch is entrusted with confidential data and commercially sensitive IP and we take this responsibility extremely seriously. Understanding the intricacies of IT security, this document outlines our commitment to keeping your data secure. Please see an overview below or download our detailed information security framework.

User Authentication

Multi-factor Authentication

Yes (Google Authenticator or other 2FA app)

Customisable Password Policies


Restricted Access

Yes (Role Based)


Access, create, delete, change, login.



Yes (at rest and in transit)

Sanitisation and Verification

Yes (preventing XSS, injection etc. attacks)



Port 80 forward to 443


Yes (HTTPS enforced)


Prevention of XFrames, cross-origin security etc.


Traffic is controlled and blocked



Yes (only using encrypted APIs)



Yes (ongoing patching and updates)


Synnch uses a distributed and redundant cloud application architecture to deliver the highest uptime and availability possible, even in the event of a natural disaster of other significant even affecting public and private infrastructure. Details on our business continuity planning, including data recovery and other key items are outlined below.



Single system backup every 24 hours

< 24 hours (to be restored within business hours)

Synnch has a global scope and works with international clients. GDPR from the European Union is a key consideration for the team at Synnch.

Lawful Basis and Transparency

What information we collect?

Name, email address, general information about the company you work for, phone number, along with data about your company's R&D activities.

Data Security


Only data from individuals essential to providing the Synnch service is collected. This is limited to name, email address and phone number.

Data Protection by Design and by Default

Synnch is developed with proactive data protection, privacy and security in mind. Data by default is encrypted, minimised, essential in nature, and protected behind user roles and access permissions in the system.

Encrypt, pseudonymize, or anonymize personal data wherever possible.

Data is encrypted at rest and in transit within the Synnch platform, and is also encrypted when interacting with third party APIs, such as Xero.

Create an internal security policy for your team members, and build awareness about data protection.

Synnch follows strict security and privacy policies. Synnch employs multiple person approval mechanisms, MFA, password complexity, and encryption to ensure the risk of accidental or malicious data breaches.

Know when to conduct a data protection impact assessment, and have a process in place to carry it out.

The Synnch DIPA can be accessed here.

Have a process in place to notify the authorities and your data subjects in the event of a data breach.

As an Australian company, the Synnch policies and procedures align with the Australian Privacy Principals and Notifiable Data Breach framework. This also maps onto the GDPR notification process and Synnch adheres to all notification requirements in the event of a data breach.

Accountability and Governance

Designate someone responsible for ensuring GDPR compliance across your organization.

Adam Stead, Chief Technology Officer - adam@synnch.com.au

Does Synnch sign a data processing agreement between your organization and any third parties that process personal data on your behalf?


If your organization is outside the EU, appoint a representative within one of the EU member states.


Appoint a Data Protection Officer (if necessary)

Adam Stead, Chief Technology Officer - adam@synnch.com.au

Privacy Rights

It's easy for your customers to request and receive all the information you have about them.


It's easy for your customers to correct or update inaccurate or incomplete information.


It's easy for your customers to request to have their personal data deleted.


It's easy for your customers to ask you to stop processing their data.


It's easy for your customers to request and receive all the information you have about them.


It's easy for your customers to receive a copy of their personal data in a format that can be easily transferred to another company.


If you make decisions about people based on automated processes, you have a procedure to protect their rights.

As an Australian company, Synnch closely follows the Australian Privacy Principals and Notifiable Data Breach requirements.


Open and transparent management of personal information

Synnch collects your name, email address and other contact details relevant to your relationship with your employer. We do not collect sensitive personal information about you as an individual. You can see the Synnch privacy policy here


Anonymity and pseudonymity

Synnch users have the ability to edit their Synnch user profile, including name.


Collection of solicited personal information

Synnch collects your information in a lawful and fair way, limited to your name, role, contact details and other information about you as it relates to the company you work for.


Dealing with unsolicited personal information

In the unlikely event that Synnch receives unsolicited information about an individual, it does not store, share or use that information. It is not retained in the Synnch system as Synnch requires only a limited and narrow scope of information in order to verify and authorise your use of Synnch on behalf of your company.


Notification of the collection of personal information

You can contact us at hello@synnch.com.au to enquire about the personal information collected. We collect your name and phone number, along with your email address and other data related to the company you work for. This data is collected for the purpose of verifying your identity and permissions to use the Synnch software on behalf of your employer.


Use or disclosure of personal information

Synnch may use or disclose your information to authorised third parties. These include integration partners, such as Xero, to enable features in the Synnch software.


Direct marketing

From time to time Synnch may use your information to send your marketing or communications, such as software update notifications to your email address.


Cross-border disclosure of personal information

Synnch takes care to ensure any third parties your data is disclosed to have robust privacy and data protection policies, and further comply with the APPS. This data is only disclosed for the purposes of providing the services offered by the Synnch platform.


Adoption, use or disclosure of government related identifiers

Synnch does not collect or store government related identifiers.

APP 10

Quality of personal information

Synnch encourages regular and accurate updates of personal information with users able to edit their user profile at any time in the Synnch platform.

APP 11

Security of personal information

Synnch uses robust and sophisticated data protection methodologies and technologies in the Synnch application architecture. Your data is encrypted at rest and in transit, all user accounts require MFA and you can read more about data protection in the Security tab. If you require your personal information deleted or de-identified you can do so using your Synnch login or by email, contacting hello@synnch.com.au

APP 12

Access to personal information

Synnch users are able to see and access all personal information stored about them in the Synnch platform by navigating their user profile.

APP 12

Correction of personal information

Synnch users can update their information by navigating to their user profile in the Synnch platform, or by emailing hello@synnch.com.au

Notifiable Data Breach

Our role and responsibilities

Synnch takes great care in securing your data. In the unlikely event a data breach occurs Synnch commits to investigate, re-secure and notify possibly affected parties of a data breach within the NDB requirements and timelines.