Security

Synchronise uses Microsoft Azure Active Directory (Azure AD) for authentication via OAuth 2.0. We do not store your Microsoft password. When you sign in, you authenticate directly with Microsoft, and we receive an authorization token that allows us to access Power BI data on your behalf.

Authentication is handled by Supabase Auth, which manages session tokens and refresh tokens. Your refresh token is stored encrypted at rest in our database to allow continued access to your Power BI workspace without requiring you to re-authenticate for each session.

Sessions expire after a period of inactivity. You can revoke access at any time by disconnecting your Microsoft account in Settings or revoking the app from your Azure AD portal.

What we store:

• Your email address and name (from your Microsoft account)
• Your workspace and dataset selections
• Schema metadata (table names, column names, measure definitions) from your Power BI semantic model
• Generated presentation slides and their visual configurations
• Encrypted refresh tokens for your Microsoft connection

What we do not store:

• Your actual Power BI data values (these are queried in real-time and processed in memory)
• Raw CSV file contents (processed in memory during your session, not persisted)
• Your Microsoft password

When you upload a CSV file, we process it in memory to generate insights. The file contents are not saved to our database. When you query Power BI data, we execute DAX queries against your semantic model and process the results in memory to generate slides.

Synchronise integrates with the following third-party services:

• Microsoft Azure AD: Authentication and Power BI API access
• Microsoft Power BI REST API: Querying your semantic models and datasets
• Supabase: Database hosting and authentication infrastructure
• Anthropic Claude API: AI-powered analysis of your data schema and sample rows to generate insights
• Vercel: Application hosting

When using our AI analysis features, we send schema metadata (table and column names) and sample data rows to Anthropic's Claude API. We send samples, not your complete dataset. Anthropic processes this data to generate insights and does not retain it after processing (see Anthropic's terms of service for their data handling policies).

Our application is hosted on Vercel. Our database is hosted on Supabase, which provides:

• Data encrypted at rest using AES-256
• Data encrypted in transit using TLS 1.2+
• Row-level security (RLS) policies ensuring users can only access their own data
• Automatic backups

All API communication uses HTTPS. Access tokens are stored in server-side session memory, not in your browser's local storage.

Every database table has row-level security (RLS) enabled. This means users can only read and write their own data. There is no mechanism for one user to access another user's presentations, connections, or cached schemas.

All API endpoints require authentication. Unauthenticated requests are rejected with a 401 error.

You can:

• Disconnect your Microsoft account at any time, which revokes our access to your Power BI data
• Delete your account and all associated data by contacting us
• Request an export of the data we store about you