Skip to content
SyncID Docs

Security

SyncID processes sensitive data including employee information, biometric templates, and attendance records. This guide covers the security architecture, built-in protections, and recommended hardening measures.

Security architecture

Section titled “Security architecture”

Network isolation

Section titled “Network isolation”

SyncID is designed for LAN-only deployment. All communication happens within your local network:

  • Device communication: TCP port 4370 (SyncID → devices)
  • SyncrOne API: HTTP/HTTPS over LAN
  • Database: SQL Server over LAN
  • No inbound connections from the internet are required

Data sovereignty

Section titled “Data sovereignty”
  • Biometric data (fingerprint templates, face templates) stays on devices and the local database
  • Attendance records are stored in your SQL Server instance
  • No data is transmitted to cloud services — SyncID has no cloud dependency
  • All data processing happens within your infrastructure

Built-in protections

Section titled “Built-in protections”
ProtectionDescription
Secure authenticationIndustry-standard password hashing and session management
Anti-forgery protectionProtection against cross-site request forgery on all forms
Role-based accessAdmin and User roles restrict functionality
Full audit trailAll changes tracked with who/when metadata
Anti-enumerationPassword reset does not reveal whether a user exists
Automatic retryResilience against transient connection errors
Failure isolationExternal service outages do not cascade to other functions

Hardening recommendations

Section titled “Hardening recommendations”

Authentication

Section titled “Authentication”
  1. Change the default admin password immediately after installation
  2. Enable account lockout to prevent brute-force attacks
    • Recommended: 5 attempts, 15-minute lockout window
  3. Use strong passwords — enforce minimum length of 12+ characters
  4. Limit admin accounts — grant admin role only to those who need it

Secrets management

Section titled “Secrets management”
  1. Do not share credentials — database passwords, API keys, and webhook URLs should be kept confidential
  2. Restrict file permissions on the configuration directory
  3. Rotate API keys periodically

Network security

Section titled “Network security”
  1. Restrict network access to the SyncID host:
    • Only allow connections from admin workstations and device subnets
    • Block access from general office networks if not needed
  2. Use HTTPS for the SyncID web interface
    • Configure an SSL certificate on the server
    • Enable HSTS (HTTP Strict Transport Security)
  3. Firewall rules:
    • Allow TCP 4370 only between SyncID host and device subnet
    • Allow HTTP/HTTPS only for the SyncrOne API endpoint
    • Block all other inbound connections
  4. Separate device VLAN — place attendance devices on a dedicated network segment

Database security

Section titled “Database security”
  1. Use a dedicated service account for database access (not the administrative account)
  2. Enable encrypted connections for database traffic in production
  3. Restrict database access to the SyncID application only
  4. Regular backups stored on a separate, access-controlled location

Monitoring

Section titled “Monitoring”
  1. Review the health dashboard regularly for unexpected state changes
  2. Track failed login attempts in the audit trail
  3. Set up Teams notifications for immediate alerting on health degradation

Data protection (GDPR)

Section titled “Data protection (GDPR)”

Since SyncID processes employee personal data and biometric data:

  1. Data controller: Your organization is the data controller for all data processed by SyncID
  2. Data processing agreement: If Galileo d.o.o. provides support services involving data access, a DPA should be in place
  3. Biometric data: Classified as special category data under GDPR Article 9 — ensure you have a lawful basis for processing
  4. Data minimization: Only sync employees who need device access
  5. Retention: Establish a retention policy for attendance records and audit logs
  6. Right to erasure: Ensure procedures exist for permanent data removal when legally required

Incident response

Section titled “Incident response”

If you suspect a security incident:

  1. Isolate — disconnect the SyncID host from the network if needed
  2. Assess — review audit trail and logs for unauthorized access
  3. Contain — change all passwords and API keys
  4. Recover — restore from a known-good backup if data integrity is compromised
  5. Report — notify affected parties per your organization’s incident response policy and GDPR requirements
Section titled “Related”