Security Updates

Last updated June 25, 2026

A running log of the security and privacy improvements we ship to Syncpen. We keep adding to it. It's written in plain language; if you'd like more technical detail on any item, email security@syncpen.io.

June 2026

  • Scoped API keys. API keys can now be limited to least privilege — for example, read-only, or write without the ability to publish or delete — so an integration only gets the access it actually needs.
  • Safer handling of captured content. Content saved through the Web Clipper or email-to-inbox is now clearly marked as untrusted when an AI agent reads it, so automated tools treat it as data and don't act on instructions hidden inside it.
  • API rate limiting. Programmatic write and publish actions are rate-limited to bound runaway or abusive usage.
  • Hardened background-job authentication. Scheduled jobs now require a properly configured secret and reject misconfigured requests.
  • Stronger HTTP security headers. Added HTTPS enforcement (HSTS), clickjacking protection, MIME-sniffing protection, and a referrer policy across the site.
  • Private share links kept out of search. Documents shared by link are excluded from search-engine indexing.
  • Clearer, accurate security claims. We reviewed and corrected our public security descriptions so they match exactly what the product does.

Reporting a vulnerability

If you discover a security issue or have a concern about our practices, email security@syncpen.io. We take every report seriously and respond promptly. For how we protect your data more broadly, see our Trust Architecture.