Trusted by Thousands Every Day

Security Basics

Your design mockups and data are unique to your account and isolated from others. Any information transmitted between your browser and the Sympli solution is transferred to over https, ensuring the security of the information in transit.


Sympli requires authentication for all application pages and resources, except for those specifically intended to be public. All authentication controls must be enforced on a trusted system, and all authentication controls fail securely. Sympli uses TLS-encrypted POST requests to transmit authentication credentials.

We enforce the following password requirements and security standards:

Single Sign-On

Sympli lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Sympli using their existing corporate credentials. SSO is an account-level feature available only with the Enterprise or private cloud plans.

PCI Compliance

Sympli uses Stripe for storing payment details and payments processing. Read more about Stripe’s security and PCI Compliance here.

Session Management

Each time a user signs into Sympli, they receive a new, unique authentication token. Each authentication token consists of random data to protect against brute force account credential attacks.

Sign Out

When signing out, the authentication token cookie is deleted from the client and the authentication token is invalidated on Sympli servers.

Encrypted Communication

All communication with Sympli is encrypted using Transport Layer Security (TLS) and is regularly updated to use the strongest ciphersuites and TLS configuration.

User Permissions

Sympli is designed for use cases ranging from small teams to large enterprises. You can invite users to your project or account without giving all team members the same levels of access.

User roles are available for Company, Enterprise and private cloud accounts and provide the ability to manage collaborators and apply different levels of permissions for each user. Each Sympli project can have different authorized users allowing granular control of who gets access to what project. The following list describes the user roles in the Sympli system, the access given to each role, and any other special concerns regarding those roles.


Administrators have full access to all projects. They can also add or remove other administrators. If you make someone an Administrator, they can assign themselves to any project belonging to that Account. If you demote an Administrator to any other role, they will remain on the projects they already added themselves to, but they will not be able to see or join other projects.


Users in Company, Enterprise, and private cloud plans can create, edit and upload mockups to projects. A project belongs to a root account, but the project can have multiple Project Administrators. The project creator is automatically turned into Project Administrator. Users can also create new projects and invite collaborators to the project(s) for which they are Project Administrators.


Collaborators can leave comments and upload mockups but can’t delete mockups, change sharing settings or edit projects.

These user permission levels enable customers to configure Sympli users so that they only have access to exactly what they need to collaborate on building digital products effectively.

Audit Logging

Logs are kept at all account levels for changes made to user accounts for both Sympli administrators and end users. Sympli maintains records of the following information:

This feature is currently not exposed to end users and log audit is only available by request.

Security Program

The Sympli software development lifecycle (SDLC) includes many activities to ensure security is integrated into Sympli products from the beginning:

Sympli platform clients (web, Adobe Photoshop, Adobe XD CC, Sketch, Xcode and Android Studio plugins, and API) are designed with security that, at a minimum, meets OWASP standards for software that is designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.

Code Assesments

Sympli’s team also performs code assessments to assure that security best practices are properly embedded into the code that is developed. Code assessments include, but are not limited to:

Bug Bounty Program

Found a security vulnerability? Please contact us at

What Data We Collect

To provide the optimum experience to our customers, we collect various pieces of information. Examples of types of data that Sympli's service collects include:

Internal Access to Data

Access to Customers' information is restricted within Sympli and is authorized for the purposes of providing direct customer support, marketing or for future product enhancements (for instance, to understand how an engineering change affects a group of customers). Sympli subcontractors may have access to customer data when analyzing or maintaining infrastructure. Sensitive customer data is never shared with anyone outside of Sympli and its subcontractors.

Read more about handling of personal data on Policy page.

Sympli takes the safety and security of your information seriously. We have implemented employee access controls that protect your information from unauthorized use:

Network Security

Sympli regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Host Security

All hosts run antivirus software that is kept up to date with security patches.

Incident Response

Sympli has a Security Incident Response Plan designed to quickly and systematically respond to security incidents that may arise. The incident response plan is tested and refined on a regular basis.

Disaster Recovery

Sympli's infrastructure is designed to provide the best experience and to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

Data Deletion

Sympli will work with the customer if they should request the deletion of all their account data and content. Upon cancellation of Sympli’s service, a customer may request to have their deleted within 30 days of the subscription ending. Sympli may amend this policy in its sole discretion by posting an update to this policy.