Trust & Security
SyncBack is desktop software. Your backup data stays on your infrastructure. It is never transmitted to, processed by, or accessible to 2BrightSparks. We do not operate cloud infrastructure or host customer data.
At 2BrightSparks, we take the security of our software and business operations seriously. This page provides an overview of our security practices, the policies we maintain, and the compliance frameworks we follow. We believe in transparency, and we make our security documentation available so that customers and procurement teams can evaluate our practices directly.
Security Practices Overview
Secure Development
All software changes follow a defined secure development lifecycle including code review, testing (unit, integration, and regression), and staged release. Security considerations are integrated throughout the development process, with risks assessed and remediated before release.
Code Signing
All software distributed by 2BrightSparks is digitally signed. This guarantees that the software was produced by us and has not been tampered with. If signed software is modified in any way, the code signing certificate becomes invalid.
Encryption Standards
SyncBack uses industry-standard cryptography: AES-256 for file encryption, TLS 1.2/1.3 for secure connections, and SHA-256 or stronger for integrity verification. Deprecated protocols (SSLv3, TLS 1.0) are not supported.
Customer-Controlled Keys
Encryption keys and passwords for backup encryption are managed entirely by you. SyncBack does not transmit or store your encryption keys externally. You retain full control of your data protection.
Supply Chain Security
We maintain a comprehensive inventory of all third-party components and libraries. Components are monitored for known vulnerabilities using binary analysis tools alongside manual review, and are updated or replaced when issues are discovered.
Access Control
Access to development systems, source code, and business systems is controlled using the principle of least privilege. Multi-factor authentication is enforced on all critical systems. All personnel have unique credentials.
Data Privacy & Protection
SyncBack does not access, inspect, or collect your backup data. The software transfers and encrypts files as directed by your configuration. All processing happens locally on your machine. The only personal data 2BrightSparks holds is licence and support information necessary to provide our service.
We comply with applicable data protection regulations including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). A Data Processing Addendum is available for customers who require one. For full details, please see our Privacy Statement.
Business Continuity & Incident Response
2BrightSparks maintains formal plans for both business continuity and security incident response:
- Business Continuity & Disaster Recovery Plan — covers critical business operations, source code protection, website and distribution continuity, and customer support. The plan is tested periodically and reviewed at least annually.
- Incident Response Plan — defines procedures for identifying, containing, eradicating, and recovering from security incidents, including roles, escalation procedures, communication protocols, and post-incident review.
Source code is stored in version control with offsite backups. Our website and distribution systems have redundancy measures in place. Internal business data is backed up using our own SyncBack software to multiple destinations including offsite and cloud storage.
Compliance & Frameworks
CSA CAIQ-Lite (Cloud Security Alliance)
2BrightSparks has completed the Consensus Assessments Initiative Questionnaire — Lite (CAIQ-Lite), based on the CSA Cloud Controls Matrix (CCM) v4. This questionnaire covers 46 controls across 16 security domains. Our overall compliance rate is 97.6% (Yes + Partial responses as a proportion of applicable controls).
Controls marked N/A reflect that SyncBack is desktop software — 2BrightSparks does not operate cloud infrastructure or host customer data.
| Security Domain | Yes | Partial | No | N/A |
|---|---|---|---|---|
| Application & Interface Security | 2 | 1 | 1 | |
| Audit Assurance & Compliance | 1 | 1 | ||
| Business Continuity | 3 | |||
| Change Control & Configuration | 3 | |||
| Cryptography & Encryption | 3 | |||
| Datacenter Security | 1 | |||
| Data Security & Privacy | 5 | |||
| Governance, Risk & Compliance | 4 | |||
| Human Resources Security | 2 | 1 | ||
| Identity & Access Management | 4 | |||
| Infrastructure & Virtualisation | 2 | |||
| Logging & Monitoring | 2 | |||
| Security Incident Management | 3 | |||
| Supply Chain Management | 3 | |||
| Threat & Vulnerability Management | 2 | 1 | ||
| Endpoint Management | 1 |
The single "No" response (Audit Assurance & Compliance: AAC-01) reflects that as a small, independent software company, 2BrightSparks does not currently undergo independent third-party security audits such as SOC 2 or ISO 27001. We provide this CAIQ and our published policies as an alternative for customers evaluating our security posture.
EU Cyber Resilience Act
2BrightSparks is actively working towards compliance with the EU Cyber Resilience Act (compliance deadline: 2027). This includes implementation of a Software Bill of Materials (SBOM) for all SyncBack products, comprehensive tracking of third-party component dependencies, and ongoing monitoring of component security advisories.
A Note on SOC 2 and ISO 27001
We are sometimes asked whether 2BrightSparks holds SOC 2 or ISO 27001 certifications. As a small, independent software company, the cost of these audits is not proportionate to our size. However, we believe the documentation provided on this page (including our completed CAIQ, published security policies, and the practices described here) gives customers a transparent and substantive view of our security posture. We are happy to discuss any specific security questions directly.
Vulnerability Disclosure
If you discover a security vulnerability in any 2BrightSparks product, we encourage you to report it responsibly. Please contact us with details of the vulnerability. We will acknowledge receipt, investigate promptly, and keep you informed of our progress. We ask that you allow us reasonable time to address the issue before any public disclosure.
Security patches are prioritised and released promptly when vulnerabilities are identified. Customers on Upgrade Assurance receive updates automatically.
Policy Documents
The following documents are available for download. These may be requested as part of vendor security assessments or procurement processes.
- CAIQ-Lite Questionnaire (CSA CCM v4) 46 controls across 16 security domains — completed February 2026
- Information Security Policy Defines our approach to protecting information assets, managing risk, and ensuring regulatory compliance
- Business Continuity & Disaster Recovery Plan Covers critical business operations, source code protection, and service continuity
- Incident Response Plan Procedures for identifying, responding to, and recovering from security incidents
If you have security questions not addressed by these documents, please contact us and we will be happy to assist.
Last Updated March 2026
© 2003-2026 2BrightSparks Pte. Ltd. | Home | Support | Privacy | Terms | Affiliate Program