How Syllabi handles your training content, protects your data, and keeps your organization's information private.
When you upload a PDF, Word document, or PowerPoint file, Syllabi processes it entirely in server memory. The raw file is parsed, the text is extracted, and the file buffer is discarded immediately â it is never written to disk, never saved to a database, and never uploaded to any cloud storage.
What Syllabi retains is the generated course content â the modules, assessments, and learning objectives that were built from your document. The source document itself leaves no trace after processing.
Every course, module, learner record, and assessment in Syllabi is scoped to a specific organization account. Database rows are tied to your org ID â no user or organization can access another organization's content.
Role-based access control (RBAC) further restricts access within your organization: admins, L&D managers, compliance officers, and learners each see only what their role allows. Invitations are required to join an organization; there is no way to discover or access other tenants' data.
| Data Type | Scoped To | Status |
|---|---|---|
| Generated courses | Your organization account | Isolated |
| Learner progress & scores | Your organization account | Isolated |
| Compliance records | Your organization account | Isolated |
| Learning paths | Your organization account | Isolated |
| Member roster | Your organization account | Isolated |
Syllabi uses Anthropic Claude and OpenAI APIs to generate course content. Both providers operate under policies that explicitly prohibit using API inputs for model training.
Your documents and the text extracted from them are sent to these APIs only to generate your course â they are not retained by the AI providers for training purposes, and they are not used to improve Syllabi's own models. What you upload stays private to your organization.
All data exchanged between your browser and Syllabi travels over HTTPS (TLS 1.2+). This includes document uploads, course generation requests, API calls, and learner activity. Connections over plain HTTP are automatically upgraded.
Data stored in the database (courses, learner records, assessments, compliance data) is protected at rest by Neon Postgres's managed encryption. Authentication tokens are signed with a secure secret and expire after 7 days.
| Layer | Protection | Status |
|---|---|---|
| Browser â Server | HTTPS / TLS 1.2+ | Active |
| Server â AI APIs | HTTPS / TLS | Active |
| Database at rest | Neon managed encryption | Active |
| Auth tokens | JWT, signed + expiring (7 days) | Active |
Access to your organization's data is gated by two layers of control: authentication (proving who you are) and authorization (confirming what you're allowed to do).
Authentication uses passwordless magic links â no passwords to phish or breach. Authorization uses RBAC with six distinct roles, each with narrowly scoped permissions.
| Role | Access Scope |
|---|---|
| Org Admin | Full org management, member roles, all content |
| L&D Manager | Course generation, learning paths, analytics |
| Compliance Officer | Completion records, audit exports, certificates |
| Learner | Own course assignments and progress only |
Syllabi engineering staff does not access your organization's course content or learner data in normal operations. Access for support purposes (e.g., debugging a reported issue) requires explicit escalation and is not routine.
Generated courses are private by default. They are accessible only to authenticated members of your organization with appropriate roles.
Shareable public links â which allow anyone with the link to view a course â are available as an optional feature and must be explicitly enabled by your organization's L&D Manager or Admin. Public links can be revoked at any time, immediately revoking access for all external viewers.
Syllabi is hosted on industry-standard cloud infrastructure with proven security track records. We do not build custom data centers or run our own hardware.
Application hosting. SOC 2 Type II certified. Automatic TLS provisioning, DDoS protection, and isolated compute per service.
Managed PostgreSQL database. Data encrypted at rest. Automatic backups. SOC 2 Type II compliant infrastructure.
AI course generation. Enterprise API terms. API inputs are not used for model training. Data deleted after processing.
Source code repository. Code changes require review before deployment. Production deploys are gated and auditable.
We're honest about where we are. Here's what's planned but not yet live:
| Feature | Status |
|---|---|
| SOC 2 Type II certification | Coming soon |
| HIPAA Business Associate Agreement (BAA) | Live â Sign at /baa |
| Data Processing Agreement (DPA) for GDPR | Live â Sign at /dpa |
| Audit log for admin actions | Live |
| SSO / SAML integration | Coming soon |
| Configurable data retention policies | Coming soon |
If a specific compliance requirement is blocking your evaluation, email us â we may be further along than this list suggests, or can accelerate what you need.
Healthcare, manufacturing, supply chain â we've seen the questionnaires. Send us yours and we'll respond with honest answers.
Contact Security Team â