Skip to main content
PowerSync is trusted by tens of thousands of developers for building and deploying secure applications.

PowerSync is SOC 2 Type 2 Audited

SOC 2 Type 2 audit reports are available to customers on the Team and Enterprise plans of PowerSync Cloud, as well as customers using the Enterprise Self-Hosted Edition.

PowerSync Cloud Security

General

  • Customer data is encrypted at rest, access to that data by support staff is strictly controlled by access control mechanisms, and robust write-only logging is present across the entire stack.
  • All HTTP connections are encrypted using TLS.
  • Additionally, customers on our Enterprise plan can request their data to be housed in managed, isolated tenants.
  • Independent third-party cybersecurity penetration testing reports are available to customers on our Enterprise plan.

AWS Private Endpoints

See Private Endpoints for using a private network to your database using AWS PrivateLink. We use Private Endpoints instead of VPC peering, to ensure that no other resources are exposed between VPCs.

HIPAA Compliance

PowerSync Cloud is HIPAA compliant. You can sync Protected Health Information (PHI) or electronic PHI (ePHI) using PowerSync Cloud provided that you fulfill your obligations under our shared responsibility model. Refer to our HIPAA Compliance page for details.

Client-Side Security

Refer to: Data Encryption

Security Reporting

Our Commitment

Security of our users’ data is of utmost importance at PowerSync. We welcome the disclosure of any vulnerability you may find in our product. We will treat each security report with the utmost seriousness. We commit to communicating promptly while we investigate the impact on our customers and will remediate the issue if deemed necessary. Having said that, we generally see a deluge of very low quality reports, many of them AI generated, and a response from our team is not guaranteed if your submission falls into this category. We uphold the principles of Responsible Disclosure, including but not limited to:
  • Make every effort to avoid accessing data of other users, and avoid disruption of our services.
  • Keep within our Terms of Service.
  • Avoid publicly disclosing any vulnerability until PowerSync has had reasonable time to resolve or mitigate the issue.
Additionally, avoid any social engineering or phishing on our customers or employees, and do not physically access any of our properties. If you follow the responsible disclosure guidelines, we commit to:
  • Treat each report with the utmost seriousness.
  • Communicate promptly, and work with you to understand and resolve the issue.
PowerSync does not operate a bug bounty program at this time, but may choose to offer a reward for security reports at our discretion.

How to Report an Issue

Contact security@powersync.com with details on the issue. Include at least the following information:
  • A description and severity of the issue.
  • Steps to reproduce the issue.
  • Any sensitive details that you may have accidentally accessed during the research.
If you plan to provide sensitive credentials or data in the report, please let us know, and we will provide you with a public GPG key for encryption.

What Reports We Are Interested In

We are interested in any reports affecting the security of our product. We are not interested in reports of:
  • Common non-vulnerabilities, such as those listed here.
  • Issues that are not exploitable.
  • Security best practice concerns. For example, issues pertaining to password policies such as password complexity, password reuse, etc.
  • Results from automated scans.
  • Social engineering or phishing attacks.
  • Extracting data using a compromised device or credentials.
Please reach out to us if anything is unclear.

See Also