Security Updates
Last updated June 25, 2026
A running log of the security and privacy improvements we ship to Syncpen. We keep adding to it. It's written in plain language; if you'd like more technical detail on any item, email security@syncpen.io.
June 2026
- Scoped API keys. API keys can now be limited to least privilege — for example, read-only, or write without the ability to publish or delete — so an integration only gets the access it actually needs.
- Safer handling of captured content. Content saved through the Web Clipper or email-to-inbox is now clearly marked as untrusted when an AI agent reads it, so automated tools treat it as data and don't act on instructions hidden inside it.
- API rate limiting. Programmatic write and publish actions are rate-limited to bound runaway or abusive usage.
- Hardened background-job authentication. Scheduled jobs now require a properly configured secret and reject misconfigured requests.
- Stronger HTTP security headers. Added HTTPS enforcement (HSTS), clickjacking protection, MIME-sniffing protection, and a referrer policy across the site.
- Private share links kept out of search. Documents shared by link are excluded from search-engine indexing.
- Clearer, accurate security claims. We reviewed and corrected our public security descriptions so they match exactly what the product does.
Reporting a vulnerability
If you discover a security issue or have a concern about our practices, email security@syncpen.io. We take every report seriously and respond promptly. For how we protect your data more broadly, see our Trust Architecture.