LogoSyncally
Pricing
LogoSyncally
Syncally Goes Enterprise: SSO, Audit Logs, RBAC, and SOC 2
Now/Product Updates

Syncally Goes Enterprise: SSO, Audit Logs, RBAC, and SOC 2

Kumar Kislay•Jan 24, 2026

Syncally Goes Enterprise: SSO, Audit Logs, RBAC, and SOC 2

TL;DR: Syncally now supports enterprise-grade security and compliance: SSO (SAML & OIDC), comprehensive audit logs, advanced RBAC with custom roles, API keys for automation, and SOC 2 Type II certification in progress. Mid-market engineering teams (20-200 developers) no longer have to choose between AI innovation and enterprise compliance.

Why We Built Enterprise Features

Engineering teams with 20-200 developers have unique needs:

  • Team-level knowledge graphs that connect code, meetings, and tasks across the entire organization
  • Enterprise compliance with SSO, audit logs, and granular access control
  • Accessible pricing that doesn't require a six-figure annual contract

Over the past 12 weeks, we've transformed Syncally from a productivity tool to an enterprise-ready platform. Here's everything we shipped.

What We Shipped

1. Single Sign-On (SSO)

What it does: Centralized authentication through your identity provider.

Supported protocols:

  • OIDC (Google Workspace, Okta, Azure AD, Auth0, OneLogin)
  • SAML 2.0 (legacy enterprise systems)

Key features:

  • Auto-provisioning (JIT user creation)
  • Domain verification (restrict to company emails)
  • Enforce SSO mode (disable password login)
  • Test connection before going live

Setup time:

  • Google Workspace: 5 minutes
  • Okta/Azure AD: 10 minutes

Why it matters: SSO is the #1 requirement for enterprise security teams. Centralized authentication means better security, easier onboarding, and instant offboarding when team members leave.

2. Comprehensive Audit Logs

What it tracks: Every significant action in your organization (30+ event types).

Event categories:

  • Authentication: Login, logout, SSO, failed attempts
  • Organization: Settings changes, member management, role updates
  • Projects: Creation, updates, deletion, access
  • Data: Meeting uploads, exports, deletions
  • Security: SSO config, API keys, permission changes

For each event, we log:

  • Actor (who performed the action)
  • Timestamp (when it happened)
  • IP address (where it came from)
  • User agent (what device/browser)
  • Metadata (specific details of the action)

Storage & access:

  • 90-day retention (customizable for Enterprise)
  • Export to CSV (SIEM integration ready)
  • Filterable by date, actor, action type, resource
  • Sub-5ms write latency (doesn't slow down your app)

Why it matters: Audit logs are foundational for SOC 2, GDPR, ISO 27001, and every enterprise security questionnaire. They answer: "Can you prove who accessed what and when?"

3. Advanced RBAC (Role-Based Access Control)

Built-in roles:

  • Owner: Full organization control
  • Admin: Day-to-day management (can't delete org or transfer ownership)
  • Member: Standard project access

Custom roles:

Enterprise teams can create custom roles with granular permissions:

Permission categories:

  • Organization: Read, update, delete, manage members, manage billing
  • Projects: Create, read, update, delete
  • Meetings: Create, read, delete
  • Tasks: Create, read, update, delete
  • Enterprise: SSO management, audit log access, audit log export, role management, API key management

Example custom roles:

  • Security Team: audit:read + audit:export only
  • Contractors: project:read, no org settings
  • Team Leads: project:_ + task:_ + team member invites
  • Viewers: read-only across everything

Why it matters: Different teams have different security requirements. Generic roles don't work for complex organizations. Custom RBAC lets security teams implement least-privilege access control without restricting productivity.

4. API Keys for Automation

What they enable: Programmatic access to Syncally for CI/CD, scripts, and integrations.

Security features:

  • SHA-256 hashed storage (never stored in plaintext)
  • Prefix identification (sk_live_...)
  • One-time reveal (shown only at creation)
  • Scoped permissions (read:projects, write:tasks, etc.)
  • IP allowlisting (optional)
  • Rate limiting (1000 req/hr default)

Usage tracking:

  • Last used timestamp
  • Total usage count
  • Revocation audit trail

Why it matters: Modern engineering teams automate everything. API keys let you integrate Syncally into your build pipeline, deployment scripts, and custom tools—securely.

5. Enterprise Documentation

We created 11 comprehensive guides:

SSO Guides:

  • Overview & protocol comparison
  • Generic SAML setup
  • Okta integration walkthrough
  • Azure AD (Microsoft Entra) setup
  • Google Workspace configuration

Security Documentation:

  • Audit logs reference
  • RBAC permission matrix
  • API key best practices

Compliance:

  • SOC 2 status & controls
  • GDPR compliance framework

Why it matters: Enterprise customers need documentation for their security teams, IT departments, and compliance auditors. Good docs accelerate procurement cycles.

6. SOC 2 Type II (In Progress)

Current status: Gap analysis complete, observation period in progress.

What we've implemented:

  • ✅ Security headers (CSP, HSTS, X-Frame-Options)
  • ✅ Comprehensive audit logging
  • ✅ Access controls (SSO, RBAC, MFA support)
  • ✅ Encryption (TLS 1.3 in transit, AES-256 at rest)
  • ✅ API key management
  • 🔄 Vulnerability scanning (Snyk)
  • 🔄 Penetration testing (annual schedule)
  • 🔄 Incident response plan
  • 🔄 Business continuity plan

Target certification: Q3 2026

Why it matters: SOC 2 is the de facto standard for B2B SaaS security. It demonstrates that your data is handled with enterprise-grade care.

The Technical Deep Dive

How We Built SSO in 2 Weeks

Week 1: OIDC First

We prioritized OIDC over SAML because:

  1. Modern standard: JSON-based, easier to implement
  2. Broader coverage: One OIDC implementation works for Google, Okta, Azure AD, Auth0, OneLogin
  3. Easier testing: Free tiers available (Auth0, Google)

Implementation:

// Discover OIDC provider automatically
const issuer = await Issuer.discover(config.oidcIssuerUrl);
 
// Create client
const client = new issuer.Client({
  client_id: config.oidcClientId,
  client_secret: config.oidcClientSecret,
  redirect_uris: [`${APP_URL}/api/auth/sso/oidc/callback`],
});
 
// Handle callback
const tokenSet = await client.callback(redirectUri, { code });
const userinfo = await client.userinfo(tokenSet.access_token);
 
// Provision user
if (autoProvision) {
  user = await provisionUser(userinfo);
}

Week 2: SAML for Legacy

SAML is more complex (XML-based) but required for some enterprises:

// Configure SAML strategy
const saml = new SAML({
  callbackUrl: `${APP_URL}/api/auth/sso/saml/callback`,
  entryPoint: config.samlSsoUrl,
  issuer: config.samlEntityId,
  cert: config.samlCertificate,
  wantAuthnResponseSigned: true,
});
 
// Validate response
const profile = await saml.validatePostResponseAsync({
  SAMLResponse: samlResponse,
});

Result: Google Workspace users can set up SSO in 5 minutes. Okta/Azure users in 10 minutes.

Audit Log Architecture

Requirements:

  1. Sub-5ms write latency (can't slow down app)
  2. Filterable queries (date, actor, action, resource)
  3. Exportable (CSV for SIEM integration)
  4. Retention policies (90 days default, customizable)

Implementation:

// Service interface
await auditLogService.log({
  action: "USER_LOGIN_SSO",
  actorId: user.id,
  actorEmail: user.email,
  resourceType: "USER",
  resourceId: user.id,
  organizationId: org.id,
  metadata: { provider: "SAML", nameId: profile.nameID },
  ipAddress: req.headers.get("x-forwarded-for"),
  userAgent: req.headers.get("user-agent"),
});

Database schema:

model AuditLog {
  id        String   @id @default(cuid())
  createdAt DateTime @default(now())
 
  action        AuditAction  // Enum of 40+ actions
  actorId       String
  actorEmail    String
  resourceType  ResourceType
  resourceId    String
  resourceName  String?
  organizationId String
 
  metadata     Json?
  ipAddress    String?
  userAgent    String?
 
  @@index([organizationId, createdAt])
  @@index([action])
  @@index([actorId])
}

Performance: Write operations are async (fire-and-forget). Queries use composite indexes.

RBAC Implementation

Hybrid approach:

  1. Built-in roles stored in enum (fast, type-safe)
  2. Custom roles stored in database (flexible, enterprise)
  3. Permission checking normalized (same API for both)
// Check permission (works for both built-in and custom roles)
const allowed = await rbacService.hasPermission(
  userId,
  organizationId,
  "project:delete",
);
 
if (!allowed) {
  throw new TRPCError({ code: "FORBIDDEN" });
}

Permission string format: {resource}:{action}

Examples:

  • org:update
  • project:delete
  • audit:export
  • sso:manage

Performance: Permission checks are cached per-request. Average check time: under 2ms.

Pricing

Community Edition (Coming Q2 2026)

  • Free, self-hosted
  • Task management, meetings, basic search
  • No AI features (separate codebase)

Pro ($14/user/month)

  • Everything in Community
  • AI-powered semantic search
  • Knowledge graph
  • Meeting intelligence
  • Q&A engine ("Ask")

Enterprise ($34/user/month)

  • Everything in Pro
  • SSO (SAML & OIDC)
  • Audit logs with CSV export
  • Advanced RBAC with custom roles
  • API keys for automation
  • Priority support
  • SOC 2 compliance

What's Next

Q1 2026 (Now)

  • ✅ SSO live
  • ✅ Audit logs live
  • ✅ RBAC live
  • ✅ API keys live
  • 🔄 SOC 2 observation period

Q2 2026

  • Syncally Community Edition
  • SOC 2 Type II certification
  • Expanded SSO providers (Generic SAML)
  • Advanced audit log analytics

Q3 2026

  • ISO 27001 certification
  • Data residency options (EU region)
  • Custom retention policies
  • SCIM provisioning

Q4 2026

  • HIPAA compliance assessment
  • Advanced threat detection
  • Custom integrations API

Try Enterprise Features

Existing customers: Enterprise features are available now. Email us at [email protected] to enable them for your organization.

New customers: Start your 14-day free trial to explore all features, or contact sales for a personalized demo.

Community: Join the waitlist for Syncally Community Edition launching Q2 2026 at syncally.app/community.

Summary

Syncally now offers everything mid-market engineering teams need for enterprise compliance:

  • SSO with SAML 2.0 and OIDC support
  • Audit logs tracking 30+ event types with CSV export
  • Advanced RBAC with custom roles and 25+ granular permissions
  • API keys with scoped permissions and rate limiting
  • SOC 2 Type II certification in progress (Q3 2026)

All of this while maintaining the AI-powered features that make Syncally unique: semantic codebase search, meeting intelligence, and the knowledge graph that connects everything your team works on.

Try Syncally Free | Contact Sales | View Security Page

Related Articles

Product Guide

What is Syncally? The Complete Guide to AI-Powered Engineering Knowledge Management

Syncally is an AI-powered platform that unifies your codebase, meetings, and tasks into a searchable knowledge graph. Learn about all features, integrations, pricing, and how it solves engineering knowledge fragmentation.

Jan 22, 2026•20 min read
Product Comparison

Syncally vs Notion: Which is Better for Engineering Teams?

Notion is great for general documentation, but engineering teams need more than a wiki. Compare Syncally and Notion to see which tool actually solves the engineering knowledge problem.

Jan 20, 2026•6 min read
Engineering

Building a Brain for Code: Vector DBs vs. Knowledge Graphs

Should you use vector databases or knowledge graphs for your AI-powered dev tools? We break down the engineering tradeoffs and explain why we chose a hybrid architecture to solve engineering context at Syncally.

Jan 26, 2026•16 min read
Logo
Syncally

Cross‑context AI that connects codebases, meeting decisions, and task history, cutting onboarding from weeks to days and preventing knowledge loss.

Product

Codebase Q&AMeeting SummarizerTask ManagementKnowledge GraphPricing

Integrations

GitHubSlackDiscordGoogle CalendarView All →

Enterprise

Contact SalesSecurity & ComplianceBlogSecurity Center

Legal

Privacy PolicyTerms of ServiceDPAContact Us

© 2026 Syncally, Inc. All rights reserved.

AES-256 EncryptionGDPR CompliantSOC 2 Type II (In Progress)