- ISO 27001
- SOC 2 Type II
- GDPR (General Data Protection Regulation)
- HIPAA BAA (Health Insurance Portability and Accountability Act - Business Associate Agreement)
- CCPA (California Consumer Privacy Act)
Synology maintains formal ISO/IEC 27001:2022 certification for its corporate operations, validated through rigorous independent audits. This certification confirms that Synology has established and maintains a comprehensive information security management system (ISMS), designed to protect the confidentiality, integrity, and availability (CIA) of data.
For its cloud services, Synology works with third-party colocation data centers that maintain ISO 27001–certified facilities, ensuring that physical infrastructure and facility-level security controls are managed in accordance with internationally recognized information security standards.
By maintaining this globally recognized standard, Synology ensures that security governance is an ongoing, systematic process, providing clients with verified assurance that their information is managed under the highest security protocols.
Beyond the protection of personal information, Synology upholds a fundamental commitment to user data sovereignty. Synology does not access, use, or process data stored by users on their hardware appliances or cloud. Our systems are designed to ensure that digital assets remain exclusively under user control, protected by an architecture that prioritizes absolute autonomy and ownership.
Synology hardware appliances and applicable cloud services provide the essential technical capabilities required to build a HIPAA-compliant environment. These include advanced access controls, data integrity protections, and comprehensive audit logging. While the responsibility for final regulatory compliance rests with the covered entity, Synology solutions serve as a robust foundation, allowing users to deploy and manage their infrastructure in alignment with stringent administrative, physical, and technical safeguards.
- Physical security of data centers and C2 cloud infrastructure.
- Maintenance and patching of hardware, OS, firmware, and software packages.
- Secure cryptographic modules for data at rest and in transit.
- Implementation of access control and strong password policies.
- Configuration of network security, firewalls, and VPNs.
- Management of user data lifecycle and privacy requests.
C2 OneStorage C2 Storage for Hyper Backup C2 Storage for Hybrid Share C2 Identity Learn more C2 Object Storage Learn more C2 Backup for Business Learn more C2 Backup for Surveillance Learn more
Synology and its C2 colocation data center facilities across Europe, APAC, and the United States have obtained ISO 27001 certification, one of the most widely recognized international standards for information security management systems. In addition, the U.S. data centers are also SOC 2 Type II certified, demonstrating the implementation of stringent security controls and operational processes to ensure the protection of user data. Furthermore, Synology processes payment information in accordance with the PCI DSS standard and handles the processing and storage of billing data through a PCI Level 1 Service Provider.
Yes. BAAs are currently available for C2 Object Storage, C2 OneStorage, C2 Backup for Business, C2 Backup for Surveillance, C2 Identity and Active Insight. Requests can be filed through the above request audit reports link. A representative will contact you to confirm the details and supply a digital copy of the agreement for you to sign.
The Health Insurance Portability and Accountability Act (HIPAA) was introduced by US Congress in 1996 to set regulatory standards for the lawful use and disclosure of electronic protected health information (ePHI). Under HIPAA regulations, healthcare providers and businesses are expected to meet a set of requirements aimed at ensuring the privacy and security of any ePHI that is created, managed, received, or transmitted.
HIPAA legislation consists of five rules. Each rule lays out different requirements for HIPAA compliance:
- Privacy Rule: How, when, and under what circumstances ePHI can be used and disclosed
- Security Rule: Technical, physical, and administrative standards to safeguard the integrity of ePHI
- Omnibus Rule: Integration of HITECH’s provisions into HIPAA to strengthen protection of ePHI
- Breach Notification Rule: Terms and conditions for the notification of data breaches involving ePHI to interested parties and the public
- Enforcement Rule: Investigation and penalties applied following a data breach involving ePHI
Over the years, the requirements have been integrated and expanded in response to technological advancements in healthcare and other industries.
A no-view architecture means a Cloud Service Provider (CSP) securely maintains encrypted data like ePHI on behalf of a client without ever having access to the decryption key. Under this framework, the backend processes state transitions independently of data visualization or content decryption, relying strictly on secure channels to handle data without "viewing" it.