Security & Trust

Last updated: April 2026

This page summarises the security, privacy, and operational practices that protect customer data on the CasinoSync platform. It is intended to support vendor due-diligence and procurement reviews. For questions not covered here, contact security@casinosync.io.

1. Platform Summary

CasinoSync is a B2B SaaS platform serving the European iGaming industry, operated by Sync Technology Limited, a company incorporated in Malta. The platform connects game providers with casino operators through a multi-tenant web application that manages game catalogues, brand configurations, certifications, and compliance data.

  • Legal entity: Sync Technology Limited (Malta)
  • Primary region: European Union
  • Hosting: Railway (containerised deployment)
  • Database: Managed PostgreSQL with automated backups
  • File storage: Cloudflare R2 (S3-compatible object storage)
  • Email delivery: Resend

2. Hosting & Infrastructure

  • Containerised deployment. All application code runs in immutable Docker containers on Railway, built reproducibly from a versioned Dockerfile and deployed through an audited CI pipeline.
  • Environment isolation. Production and staging environments are fully isolated — separate databases, separate object storage, separate secrets, separate domains.
  • Managed PostgreSQL with automated daily backups and point-in-time recovery.
  • TLS everywhere. All public traffic is served over HTTPS; HTTP requests are automatically redirected.
  • HSTS enabled with a one-year max-age, includeSubDomains, and HSTS preload eligibility.

3. Data Isolation (Multi-Tenancy)

CasinoSync enforces tenant isolation at the application layer using a hierarchical access model: Platform → Operator → Brand → Configuration.

  • Every request to a tenant-scoped resource passes through a centralised authorisation layer that validates the tenant relationship before the view executes.
  • Direct object references (e.g. brand IDs in URLs) are always re-validated against the authenticated user's tenant — they are never trusted as authorisation tokens.
  • Provider portal data is scoped to the authenticated provider on every query; one provider cannot read another provider's data.

4. Authentication & Session Management

  • Password authentication using PBKDF2 with SHA-256 (OWASP-recommended).
  • Session cookies are HTTP-only, SameSite=Lax, and marked Secure in production.
  • One-hour idle session timeout, with sessions terminated on browser close.
  • Inactivity warning at 30 minutes; sign-out at 60 minutes.
  • CSRF protection on every state-changing request.
  • Role-based access control with three permission levels (view, edit, manage).

5. Encryption

  • In transit: TLS 1.2+ for all external and internal traffic.
  • At rest: AES-256 for database storage and Cloudflare R2 object storage.
  • Passwords: hashed with PBKDF2-SHA256 and per-user salt; never stored in plain text.
  • Secrets: stored as platform environment variables; no credentials in source control.

6. Application Security Controls

  • Content Security Policy (CSP) restricting script and resource origins.
  • X-Frame-Options: DENY to prevent clickjacking; nosniff, strict Referrer-Policy, Cross-Origin-Opener-Policy.
  • Rate limiting on authentication and sensitive endpoints.
  • SQL injection prevented through parameterised ORM queries.
  • File-upload validation (content-type and size); uploads stored in object storage.
  • CORS restricted to a fixed allowlist of trusted origins per environment.

7. Monitoring, Logging & Incident Response

  • Error monitoring: Sentry, real time.
  • Uptime monitoring: Better Stack, with alerting on downtime.
  • Security audit log for authentication events, permission checks, and sensitive operations.
  • Incident response: all production incidents are triaged immediately; customers materially affected by an incident impacting their data are notified without undue delay.

8. Data Protection & Privacy (GDPR)

CasinoSync processes personal data under the EU GDPR.

  • Lawful basis: contractual necessity for platform users; no marketing data collected without consent.
  • Data minimisation: only data required for platform functionality is collected.
  • Data residency: processing within the European Union.
  • Data subject rights: access, rectification, export, and deletion requests honoured within statutory timeframes.
  • Data Processing Agreement (DPA): available on request for all customers.
  • Sub-processors: a current list (Railway, Cloudflare, Resend, Sentry, Better Stack, and Anthropic for opt-in AI features) is available on request.

9. Backups & Business Continuity

  • Daily automated database backups with point-in-time recovery.
  • Cloudflare R2 provides 99.999999999% (eleven nines) annual object durability.
  • Stateless application tier — application servers hold no persistent state, allowing rapid redeployment from container images.
  • Recovery objectives: RPO ≤ 24 hours, RTO ≤ 4 hours under normal conditions.

10. Secure Development Lifecycle

  • All code managed in Git with mandatory pull-request review before merge to production branches.
  • Automated linting, static analysis, and tests on every change.
  • Third-party dependencies are pinned and reviewed before introduction.
  • Production deployments gated by explicit approval; staging used for validation.
  • Periodic internal security reviews of authentication, authorisation, input handling, and dependencies.

11. Customer Responsibilities (Shared Model)

Security is a shared responsibility. Customers should:

  • Use strong, unique passwords.
  • Promptly remove access for users who leave their organisation.
  • Restrict the manage permission level to users who genuinely require it.
  • Report suspected security issues to security@casinosync.io without delay.

12. Reporting a Security Issue

If you believe you have identified a security vulnerability in CasinoSync, please contact security@casinosync.io with a description of the issue, steps to reproduce where possible, and your contact details for follow-up. We acknowledge reports within two business days and keep you informed of progress to resolution. We do not take legal action against good-faith security researchers who follow responsible disclosure practices.

See also our machine-readable contact at /.well-known/security.txt (RFC 9116).

13. Roadmap

The following are on our security roadmap and not yet generally available:

  • Independent third-party penetration testing.
  • SOC 2 Type I readiness assessment.
  • Single Sign-On (SSO) via SAML / OIDC for enterprise customers.
  • Two-Factor Authentication (2FA) for all users.

This page describes the CasinoSync platform as of the date above and may be updated as the platform evolves. It is provided for informational purposes and does not modify any contractual agreement between Sync Technology Limited and its customers.