Sinaptic® AI

ISO 27001 — Information Security Management

Effective: April 2026 · TOV «Sinaptic AI» / Sinaptic AI LLC · Diia.City Resident

1. Information Security Management System Commitment

TOV «Sinaptic AI» (“Sinaptic”) recognizes that information security is fundamental to the trust our clients place in our AI-powered products and services. As a provider of cybersecurity solutions — including Browser DLP, Sinaptic AI Intent Firewall®, and Sinaptic® DROID+ — we hold ourselves to the highest standards of information security practice.

Sinaptic is committed to establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS) aligned with the requirements of ISO/IEC 27001:2022. Our ISMS is designed to:

  • Protect the confidentiality, integrity, and availability of information assets, including customer data, proprietary technology, and operational systems.
  • Meet the information security expectations and requirements of our clients, partners, regulators, and other stakeholders.
  • Ensure compliance with applicable legal, regulatory, and contractual requirements related to information security.
  • Support the business objectives of Sinaptic while managing information security risks to acceptable levels.
  • Foster a culture of security awareness and responsibility across the organization.

2. Scope

The scope of Sinaptic’s ISMS encompasses all products, services, and supporting processes operated by Sinaptic, including:

  • Products: Browser DLP, Sinaptic AI Intent Firewall®, Sinaptic® DROID+, and any future products developed by Sinaptic.
  • Services: Product deployment, configuration, technical support, consulting, and managed services provided to enterprise clients.
  • Infrastructure: Cloud environments, development and staging systems, internal corporate IT infrastructure, and physical office premises.
  • Personnel: All employees, contractors, and third-party service providers who access Sinaptic information assets or operate within the scope of the ISMS.
  • Data: Customer data processed through our products, Sinaptic proprietary data (including source code, algorithms, and business intelligence), employee personal data, and operational data.

The ISMS applies to all locations from which Sinaptic operates, including our headquarters in Kyiv, Ukraine, remote workstations of distributed team members, and any third-party facilities utilized in the delivery of our services.

3. Information Security Policy

Sinaptic’s Information Security Policy is the cornerstone of our ISMS. The policy establishes the following principles:

  1. Confidentiality: Information shall be accessible only to those authorized to have access. Access is granted on the principle of least privilege and on a need-to-know basis.
  2. Integrity: The accuracy and completeness of information and processing methods shall be safeguarded. Changes to information assets follow defined change management procedures.
  3. Availability: Authorized users shall have access to information and associated assets when required. Business continuity and disaster recovery plans are maintained and tested.
  4. Compliance: All applicable legal, statutory, regulatory, and contractual requirements relating to information security shall be identified, documented, and maintained.
  5. Risk-Based Approach: Information security decisions are informed by a systematic risk assessment process that considers the likelihood and impact of threats and vulnerabilities.

4. Risk Assessment Approach

Sinaptic employs a systematic, documented risk assessment methodology to identify, analyze, evaluate, and treat information security risks:

4.1 Risk Identification

We identify risks through asset inventory analysis, threat intelligence, vulnerability assessments, penetration testing results, incident post-mortems, and input from internal and external stakeholders. Risks are catalogued in a centralized risk register maintained by the Information Security team.

4.2 Risk Analysis and Evaluation

Each identified risk is analyzed for likelihood and impact using a standardized scoring methodology. Risks are evaluated against Sinaptic’s risk appetite criteria, which are approved by senior management and reviewed annually. Risks exceeding acceptable thresholds are prioritized for treatment.

4.3 Risk Treatment

For each risk requiring treatment, we select appropriate risk treatment options: mitigate (implement controls), transfer (via insurance or contractual allocation), avoid (cease the activity), or accept (within defined risk appetite). Treatment plans are documented, assigned to risk owners, and tracked through implementation.

4.4 Risk Review

The risk register is reviewed quarterly, or more frequently in response to significant changes, incidents, or new threat intelligence. A comprehensive risk assessment is conducted annually as part of the ISMS management review cycle.

5. Control Objectives — Annex A Highlights

Sinaptic has implemented controls across the domains defined in ISO 27001:2022 Annex A. The following highlights key areas:

5.1 Organizational Controls (A.5)

  • Information security policies are documented, approved by management, published, and communicated to all relevant parties.
  • Roles and responsibilities for information security are clearly defined and assigned.
  • Threat intelligence is collected and analyzed to inform proactive security measures.
  • Information security is integrated into project management processes.

5.2 People Controls (A.6)

  • Background verification checks are performed for all personnel prior to commencement of employment, in accordance with applicable laws.
  • All employees and contractors sign confidentiality and non-disclosure agreements.
  • Information security awareness, education, and training programs are conducted regularly, with mandatory completion tracked and documented.
  • A disciplinary process exists for personnel who commit information security violations.

5.3 Physical Controls (A.7)

  • Physical access to offices and sensitive areas is restricted through electronic access controls and visitor management procedures.
  • Equipment is protected from environmental threats, power failures, and unauthorized access.
  • Secure disposal procedures are in place for storage media containing sensitive information.

5.4 Technological Controls (A.8)

  • Access to systems and data is controlled through role-based access control (RBAC), multi-factor authentication (MFA), and the principle of least privilege.
  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Vulnerability management processes include regular scanning, patch management, and penetration testing.
  • Secure development lifecycle (SDLC) practices include code review, static and dynamic analysis, dependency scanning, and secure coding standards.
  • Logging and monitoring systems provide real-time visibility into security events, with automated alerting for suspicious activities.
  • Network security is enforced through segmentation, firewalls, intrusion detection/prevention systems, and DDoS protection.
  • Backup and recovery procedures are documented, tested, and aligned with defined recovery time and recovery point objectives.

6. Information Security Incident Management

Sinaptic maintains a formal information security incident management process that includes:

  • Detection and Reporting: Automated monitoring systems and a clear incident reporting procedure (available to all personnel) ensure rapid detection and escalation of security events.
  • Assessment and Classification: Incidents are classified by severity (critical, high, medium, low) based on impact to confidentiality, integrity, and availability.
  • Response: An incident response team is on-call 24/7 for critical incidents, with defined playbooks for common incident types.
  • Communication: Affected stakeholders, including clients, regulators, and data protection authorities, are notified in accordance with contractual and legal requirements.
  • Post-Incident Review: Every significant incident undergoes a blameless post-mortem to identify root causes and implement preventive measures.

7. Business Continuity

Sinaptic maintains business continuity plans that ensure the availability of critical services during adverse events. These plans are based on a business impact analysis that identifies critical processes and recovery priorities. Plans are tested at least annually through tabletop exercises and, where feasible, live failover drills. Our cloud-native architecture with multi-region deployment capability supports rapid recovery and geographic redundancy.

8. Continuous Improvement

Sinaptic is committed to the continual improvement of its ISMS through:

  • Internal Audits: Regular internal audits assess the conformity of the ISMS with ISO 27001 requirements and the effectiveness of implemented controls.
  • Management Reviews: Senior management reviews the ISMS at planned intervals (at least annually) to assess its continuing suitability, adequacy, effectiveness, and alignment with organizational strategy.
  • Corrective Actions: Nonconformities identified through audits, incidents, or monitoring trigger formal corrective action processes.
  • Metrics and KPIs: Information security performance is measured through defined metrics and key performance indicators, reported to management, and used to drive improvement.
  • External Benchmarking: We benchmark our security practices against industry standards, peer organizations, and evolving threat landscapes.

9. Certification Roadmap

Sinaptic is progressing toward formal ISO/IEC 27001:2022 certification through the following roadmap:

  1. Phase 1 — Foundation (Completed): Established the ISMS framework, defined scope, conducted initial risk assessment, implemented baseline controls, and appointed the Information Security team.
  2. Phase 2 — Implementation (In Progress): Full implementation of Annex A controls, documentation of all policies and procedures, deployment of monitoring and measurement systems, and staff training programs.
  3. Phase 3 — Internal Audit: Comprehensive internal audit cycle to assess ISMS maturity and identify gaps prior to external certification audit.
  4. Phase 4 — External Certification Audit: Engagement of an accredited certification body to conduct Stage 1 (documentation review) and Stage 2 (on-site assessment) certification audits.
  5. Phase 5 — Maintenance: Ongoing surveillance audits, recertification cycles, and continuous improvement to maintain certification.

Request Compliance Information

For questions about our information security practices or ISO 27001 certification progress, contact us at hello@sinaptic.ai.