Skip to content
Synaptyx
Get started
Control, audit & compliance for AI coding agentsMulti-tenant control plane for AI coding agents

See, control, and prove everything your AI coding agents do - without handing us your keys.

Run AI coding agents at company scale - without handing us your keys.

Enrol your machines, give every team its own AI coding sessions, and keep a signed, tamper-proof record of each one. Your keys and data stay yours - we can't read them.

Enrol your hosts, spawn agent sessions per team, and watch every transcript - end-to-end encrypted with keys we cannot decrypt.

Request access
Request access
Claude Code · Codex · OpenCode +4 SOC 2 Type II · in progress Your keys, end to end Signed audit trail
The status quo

AI coding agents at scale expose three things nobody planned for.

You shipped agents to engineering. Compliance, finance, and your CISO want answers now. Synaptyx has them - without a new stack.

"My team uses coding agents but I have no audit trail."

A record you can hand an auditor. Every action your team's AI takes is logged and signed - you can prove exactly who did what, with no gaps.

Audit signing chain. Every event Ed25519-signed, hash-chained, and verifiable by anyone with your public key.

"One API key per vendor, shared across the whole org."

Per-team access and budgets. Each team gets its own locked access and a spending cap, so one leaked key or a runaway bill can't hit the whole company.

Per-team key, per-team budget. Each team gets its own wrapped key, live burn-rate per team, user, and repo, plus a hard USD cap that stops spend on breach.

"Compliance asked for proof we don't leak prompts."

Your data stays yours. Prompts and transcripts are stored so only your own team can read them - not us, not anyone else.

Your keys. Your data. Never ours. Every prompt and transcript is locked with your team's own key. We store only unreadable data - lose your key and even we can't recover it.

Regulation is closing in

Built for the rules bearing down on your AI usage.

The EU Cyber Resilience Act, NIS2, SOC 2, and ISO 27001 all demand the same things: proof of who did what, controls you can show an auditor, and data you actually keep. Synaptyx hands you the evidence - not another policy PDF.

EU CRA

Signed, tamper-proof records of every AI session - the audit trail the Cyber Resilience Act expects.

NIS2

Access control, isolation, and incident-ready logs for the systems NIS2 puts in scope.

SOC 2

Audit-ready evidence for the trust criteria (SOC 2 Type II in progress).

ISO 27001

Key management, encryption, and access records that map to Annex A controls.

GDPR

Your keys, your data - prompts stored as unreadable ciphertext, never processed in the clear by us.

Synaptyx provides technical controls and audit evidence to support these frameworks. It is not itself a certification; certification remains yours to obtain. SOC 2 Type II is in progress.

Capabilities

Everything you need to run AI safely - and prove it.

Everything a platform team needs to ship AI coding agents safely.

Complete audit trail

Audit signing chain

A tamper-proof log of every action, so you can show an auditor exactly who did what - with no gaps.

Ed25519 signs every audit row. Tamper-evident hash chain. Verify any range cryptographically against your public per-company key.

Learn more

Feeds your security tools

SIEM push

Sends a signed record of activity straight into the security tools your team already uses.

Stream signed audit events to Splunk, Datadog, Elastic, Microsoft Sentinel, or S3 WORM. mTLS + JWT, retry with backoff.

Learn more
SAMPLE
{
  "class_uid": 3002,
  "activity_name": "Create",
  "actor": { "user": "dev@example.com" },
  "signature": "ed25519:3f9a…c21b"
}

Enterprise sign-on

SSO + SCIM

People sign in with your existing company login; access is granted and revoked automatically.

OIDC login from Okta, Azure AD, Google. Optional SCIM 2.0 for full user lifecycle. JIT-provision groups on first login.

Learn more

Cost control and caps

Budgets & cost ledger

See spend per team in real time and set hard limits, so AI costs never surprise you.

Per-team, per-user, per-repo cost visibility with real-time burn-rate. Token cost attributed to the exact prompt. Seat limits plus configurable USD caps that hard-stop, notify, or warn on breach.

Learn more
SAMPLE

See exactly what happened

Session replay

Play back any session step by step to review what the AI actually did.

xterm-accurate playback with scrubber, bookmarks, lazy keyframes. Your full retention window at your fingertips.

Learn more
SAMPLE
$ fix csrf middleware in /api/auth
⚙ Read api/auth/csrf.go
⚙ Edit api/auth/csrf.go (+12 −4)
⚙ Bash $ go test ./api/auth/...
✓ Tests pass · 4 tests, 8 assertions

Runs on your own infrastructure

Air-gapped install

Install and run it entirely inside your own network - even fully offline, with no data leaving.

Signed mega-tarball. Customer-supplied license JWS. Caddy internal CA. Optional offline update server, polled - never push.

Learn more

Repeatable AI workflows

Agent workflows

Build repeatable multi-step AI tasks your team can run and watch, kept isolated per team.

Wire agent and exec steps into a DAG, validate it, run it, and watch the run record live. Starter templates and a visual canvas. Isolated per team; node timeout sends SIGTERM.

Learn more

Locked down by default

Sandbox / egress isolation

Optionally run AI sessions in a sealed environment that can't send your data out to the internet.

Opt-in per-company policy to run agent sessions in an isolated network namespace (netns). Egress is denied by default, so an agent can't exfiltrate over the network. Default off.

Learn more
How it works

Four moves from install to governed fleet.

  1. Enrol hosts

    Daemon over mTLS, one-time approval, TOFU pin.

    The daemon enrols over mTLS by default. One-time approval mints a per-host token, and TOFU cert pinning locks in the host's identity from the first handshake.

    curl -fsSL synaptyx.cloud/install | sh
    daemon enrolled · mTLS pinned
    session live · cost tracking on
  2. Spawn per team

    Any backend, per-team isolation, admins manage - don't snoop.

    Team members spawn agent sessions on any backend, scoped to their team. Row-level security isolates every row, so admins manage access - they don't snoop on your prompts.

    SAMPLE
    teamsessionstatus
    payments-apicl-9832live
    payments-apicl-9840live
    ◐ other teams' rows — RLS-hidden from this admin
  3. Watch + replay

    Live xterm stream, frame-by-frame replay, permission events.

    Watch sessions live over an xterm stream, then scrub frame-by-frame in replay with bookmarks. Every permission event lands as a marker on the timeline.

    SAMPLE
    $ deploy hotfix to prod-backend-eu
    ⚙ permission requested: bash write
    ✓ approved by admin · 00:42
    ⚙ Bash $ kubectl rollout restart
  4. Prove + bill

    Signed audit to SIEM, per-repo USD attribution, hard caps.

    Every action is signed and pushed straight to your SIEM. Per-repo USD attribution and hard spend caps land before the invoice does.

    SAMPLE
    {
      "class_uid": 3002,
      "sink": "splunk-prod",
      "repo": "monorepo/api",
      "signature": "ed25519:9c2f…7ab1"
    }

Hosted SaaS, or self-host the signed mega-bundle air-gapped - same binary, your hardware.

Walkthrough

Five views from the operator console.

The portal is what your platform team lives in. An interactive preview of the operator console.

Active users
24
Active hosts
9
Live sessions
4
This month spend
$7,554
Hosts under your control plane
One pane of glass - every host, every session, every audit signature, every dollar.
Security posture

Three things you can actually verify.

Not "we promise". Cryptographic proof. Auditable cryptography. Self-hostable when your auditor demands it.

You hold the keys

  • BYOK end-to-end encryption
  • Argon2id passphrase → master key
  • Optional WebAuthn auto-unlock
  • Zero-knowledge: lose passphrase = lose data
  • Per-team key wrap, no operator escrow

We sign everything

  • Per-company Ed25519 audit chain
  • Tamper-evident row hash chain
  • Public per-company pubkey endpoint
  • SIEM push with mTLS + JWT
  • Cryptographically signed releases

Air-gap if you want

  • Self-hosted signed mega-tarball
  • Customer-supplied license JWS
  • Caddy internal CA bootstrap
  • Update server polled, never push
  • Zero third-party telemetry - the control plane phones nothing home
SAMPLE

Verify it yourself

A real 5-row sample audit chain, embedded right in this page. Recompute every SHA-256 hash, check every Ed25519 signature - live, in your browser, right now.

tseventprev_hashhashsigstatus
2026-06-30T09:12:04Zsession.spawn00000000…0000001fc9478e…d23310OyglWI4l…HbCQ==
2026-06-30T09:14:51Zpermission.approved1fc9478e…d23310f51cd7d3…62b875DJELgYNW…mFBQ==
2026-06-30T09:21:37Zsecret.accessf51cd7d3…62b8750951657e…440f92kkygR5aa…eyBA==
2026-06-30T09:44:02Zpolicy.updated0951657e…440f925fd659a7…20aa98e4dkZY5U…lkCA==
2026-06-30T10:03:19Zsession.closed5fd659a7…20aa9899022532…b4952fMFUtvbrJ…6vCw==

Not verified yet - press Verify chain.

Honest comparison

If you've evaluated alternatives, here's how we line up.

Anthropic ConsoleSynaptyx
Per-team budgets◐ org only
Audit signing chain (Ed25519)
SIEM push
Self-host air-gapped
BYOK end-to-end encryptionN/A
Session replay (xterm)
SCIM 2.0 provisioning
Source-available
Time to first agenthours< 5 min
Who this is for

Built for the three people who answer for your AI tooling.

Security & compliance

You answer to auditors for CRA, NIS2, SOC 2 and ISO 27001. You need cryptographic evidence, not policy PDFs. SIEM streams that prove a negative.

Give your auditors proof, not promises.

Request access
Request access

No obligation - a 30-minute walkthrough. Your keys, your data, and signed evidence for your auditors.

Okta · Entra SSO Splunk · Sentinel SIEM Self-hosted GitLab