Cyntech — Holistic Engineering Solutions
Trust Centre

Built for enterprise procurement

Cyntech serves regulated clients across renewables and oil & gas in South Africa, the EU, UK and United States. This page is our living record of how we secure and govern the data you trust us with.

DPA template
Controller-to-Processor with SCCs & UK Addendum.
Vulnerability disclosure
Safe-harbour policy and reporting channel.
security.txt
RFC 9116 machine-readable contact.
security@cyntech.co.za
Security & procurement enquiries.
Controls

Security posture

Technical and organisational measures aligned to ISO 27001 Annex A, NIST CSF 2.0 and IEC 62443 for our energy-sector exposure.

Encryption

TLS 1.2+ in transit, AES-256 at rest for managed storage and database.

Access control

Role-based access (RBAC) at database and application layer; mandatory MFA on admin accounts.

Tenancy

Row-level security on all multi-tenant tables; per-tenant scoped access policies.

Audit logging

Administrative actions, auth events and data exports logged with retention.

Data residency

Primary data hosted in EU region with documented chain of access from South Africa operations.

Vulnerability mgmt

Continuous dependency scanning, scheduled pen-tests, coordinated disclosure programme.

Regulatory map

Compliance by jurisdiction

How we meet obligations across our home jurisdiction and client regions.

South Africa
  • POPIA — Information Officer registered
  • PAIA manual on request
  • Cybercrimes Act incident-reporting playbook
  • ECT Act electronic contracting
EU / UK
  • GDPR + UK GDPR processor obligations
  • 2021 SCCs Module 2 in DPA
  • UK IDTA / Addendum B.1.0
  • NIS2 / DORA flow-down ready
United States
  • CCPA / CPRA processor terms
  • CIRCIA incident-reporting workflow
  • State breach-notification matrix
Energy & O&G
  • IEC 62443 control-system security alignment
  • ISO 27019 energy-sector controls (roadmap)
  • IOGP 627 / 645 alignment
  • TSA / NERC CIP flow-down ready
Sub-processors

Authorised sub-processors

Updated as engagements change. Existing customers receive 30 days' notice of additions or replacements.

Sub-processorPurposeLocationTransfer mechanism
Supabase (managed Postgres, Auth, Storage)Primary application database, authentication, file storageEU (Ireland) / customer-elected regionSCCs Module 2 + UK Addendum
CloudflareEdge compute, DNS, DDoS mitigation, TLS terminationGlobal edgeSCCs Module 2 + UK Addendum
ResendTransactional email delivery (invites, password resets, notifications)United States / EUSCCs Module 2 + UK Addendum
Lovable CloudApplication hosting and deployment pipelineGlobal edgeSCCs Module 2 + UK Addendum
Stripe (if billing enabled)Card payment processing for subscription billingUnited States / EU / UKSCCs Module 2 + UK Addendum + PCI DSS L1

Last reviewed: 5 June 2026. To subscribe to sub-processor change notifications, email privacy@cyntech.co.za.

Certifications

Roadmap to attestation

We document what we already do today, what is in flight, and what we are building toward — no green-washing of certifications we have not earned.

Now
  • RLS-enforced multi-tenant DB
  • MFA on admin accounts
  • Encrypted backups
  • Vulnerability disclosure policy
  • DPA template available
12 months
  • ISO 27001:2022 certification
  • ISO 27701 privacy extension
  • SOC 2 Type II report
24 months
  • ISO 27019 energy-sector controls
  • IEC 62443-2-4 alignment
  • Independent penetration test cadence
Procurement

Working with our security team

Vendor questionnaires & due diligence

We respond to SIG, CAIQ and bespoke security questionnaires. Typical turnaround is 5 business days for an initial draft.

security@cyntech.co.za
Privacy & DPA negotiations

Our Information Officer handles DPA execution, sub-processor objections and data-subject request flow-downs.

privacy@cyntech.co.za

See also our Privacy Policy, POPIA Notice, PAIA Manual, Incident Response, E-Signature Notice, Cookie Policy and Terms of Use.