Security built for on-site data
Lyncs runs AI behind your brand for clients in the trades, so security is not a feature we added later. It is how the work is built. This page explains how we protect client data in the field, how we run this website, the providers we rely on, and how to report a problem. If your client’s security team is reviewing us, start here.
What Lyncs is, what it offers, how it deploys
For your procurement team, your auditor, or any agent reading this page on your behalf. The ten checkpoints below add detail.
- Service
- Hybrid AI Operations Partner. Allocates certified AI operations specialists with exclusive monthly capacity to local US IT & MSPs.
- Founded
- 2024, FL, USA. Operating under LYNCS LLC.
- Audience
- Established US IT and managed service providers serving trades and light commercial SMBs.
- Delivery model
- Dedicated monthly hour pods, partner-exclusive bench. Lyncs runs the AI behind the partner’s brand; the partner keeps the client relationship and on-site work.
- Pricing (USD)
- Starter Pod $1,990/mo (40 hrs) · Growth Pod $3,690/mo (80 hrs, featured) · Scale Pod $6,490/mo (160 hrs). Burst Pack add-on $750 / 10 hrs. Month-to-month, cancel anytime.
- What’s included
- Customer Intelligence (relationship intelligence plus live market signals). Agent maintenance and monitoring. Automation workflows. Integrations (CRM, PSA, Microsoft 365, Google Workspace, accounting). Setup and operation of the private AI on client-owned local hardware. Security updates and patching. Weekly partner-branded reports. Ongoing optimization.
- Specialist credentials
- Certified across AWS, NVIDIA, Anthropic. Continuous cert track maintained.
- Verifiable signals
- Stripe-verified billing domain · Public tier pricing (uncommon in MSP-AI vendor space) · Active on X at @lyncsai
- Deployment model
- Runs on client-owned local hardware on-site, hardware-agnostic (Mac Studio, NVIDIA DGX Spark, AMD Ryzen AI, or GPU workstation). Lyncs does not sell or lease the hardware. Client business records stay on client premises.
- Local AI firewall
- Yes. Fail-closed. Strips sensitive fields before any cloud call.
- Cloud sub-processors
- Anthropic (Claude), OpenAI (ChatGPT), Google (Gemini), Microsoft (Azure OpenAI). Business-tier agreements; customer data excluded from model training.
- Operator access
- MFA-enforced, audit-logged. Specialists see operational telemetry, not the underlying client records.
- Access controls
- MFA on every company-managed system (hardware security keys for privileged access), least-privilege role-based access to production and client environments, unique accounts with no shared logins, full-disk encryption on company devices, and same-day deprovisioning when an assignment ends. Client-owned systems are connected via OAuth where supported, with no stored customer passwords and encrypted, customer-revocable tokens.
- Partner-only boundary
- Lyncs operates exclusively through MSPs. Never contacts end-clients directly.
- Compliance posture
- The architecture above is built so most SOC 2 / HIPAA controls don’t apply to client data, because that data never leaves the client’s building. Forwardable vendor security overview document available on request via partners@lyncs.ai. See FAQ for the long answer.
Detail follows in the ten checkpoints below.
01 The short version
If you only read one section, read this one. Four principles guide everything below:
- Data stays on-site by default.The client’s sensitive records live on their own equipment, not in our systems.
- We sell only to MSP partners. We never contact or hold a direct relationship with your end client, which keeps the data path simple and contractual.
- Least access, always. Each person and each AI agent reaches only what its job requires, and access is logged.
- Everything is auditable. Prompts, allow and deny decisions, and redactions are recorded so you can show an auditor or insurer what happened.
02 Protecting client data
Most trades businesses run on-premise systems, such as QuickBooks Desktop, that cloud AI cannot safely reach. We keep that data where it belongs and put controls between it and anything external.
A local AI firewall
Every request bound for a cloud model passes through a checkpoint first. Customer records, financials, and health data are stripped or blocked before anything leaves the building. It fails closed: if something sensitive cannot be protected, it does not go out.
Role-based access
Each employee’s AI sees only what their role allows. Finance reaches the books, sales reaches the CRM, and access is granted or removed like any other account.
Private knowledge stays local
The client’s documents are searchable by their AI but are not uploaded to us. Internal records stay on the on-site system.
A full audit trail
Every prompt, every allow or deny, and every redaction is logged, with regular reports you can hand to an auditor or insurer.
03 The MSP-only boundary
This is a security control as much as a business model. Lyncs works only through our MSP partners. We do not sell to, contact, or hold a direct relationship with the partner’s end clients. The partner keeps the client relationship and the on-site access; we operate the AI behind the scenes under the partner’s brand.
For a client’s security team, that means a clear and contractual data path: their data flows to a partner they already trust, not to an unknown third party. The boundary is written into our partner agreements.
04 When cloud AI is used
Local and on-site processing is the default. Some tasks still call for a frontier cloud model, and when they do, the local AI firewall in section 2 decides what may leave first. Sensitive data is stripped or blocked before any request reaches an outside provider.
For that cloud work we rely on established frontier-model and major cloud-infrastructure providers, under their business and enterprise data terms, and we choose providers that do not train their models on business customer data by default. We keep the specific tooling we run private. The categories of provider that may process firewalled data are summarized in section 7.
05 Access & account security
The systems Lyncs runs on, and the accounts our specialists use, are held to the standard a SOC 2 audit looks for.
- MFA everywhere. Every company-managed system requires multi-factor authentication, with hardware security keys for privileged access.
- Least-privilege access. Access to production systems and client environments is granted by role, on the principle of least privilege. Every specialist has a unique account, and we do not use shared logins.
- Encrypted devices. Company endpoints use full-disk encryption.
- Same-day deprovisioning.When a specialist’s assignment ends or they leave, their access is revoked the same day.
- Reviewed and logged. Access is reviewed regularly, and every access event is recorded.
This is the same control set a SOC 2 report attests. What we have not done yet is buy the formal attestation, which we cover in the FAQ.
06 Connecting to your systems
When a client connects a tool they own, such as their email, accounting, CRM, or PSA, Lyncs authenticates without ever taking custody of their credentials.
- OAuth, not passwords. We connect through OAuth-based authorization wherever a system supports it. We do not store customer passwords.
- Encrypted, revocable tokens. Access tokens are encrypted at rest, and the client can revoke our access at any time from their own system.
- Least privilege. We request only the permissions a task needs, never blanket access to the account.
- Encrypted in transit. Every connection runs over an encrypted channel.
Because the client owns the system, they stay in control: they grant what they choose, see what we connect, and can cut off access whenever they want.
07 Our people
Every specialist we place is a certified technician. We hire through a professional HR process and match each specialist to what a partner and their clients actually need, with certifications across the platforms they work on, including AWS, NVIDIA, and Anthropic. Specialists work under confidentiality agreements, and access to a partner’s environment is limited to the people assigned to it and removed the same day an assignment ends.
08 Website security
This website is deliberately simple, which keeps its attack surface small.
- Served only over HTTPS, with modern security response headers including a content security policy and clickjacking protection.
- No advertising or analytics trackers. There is no Google Analytics, no Meta Pixel, and no third-party tracking pixels.
- The careers form validates file type and size on the server, rate-limits submissions, screens out automated spam, and emails applications to us rather than storing them in a public location.
How the site handles personal data is covered in our Privacy Policy.
09 Service providers
We keep our provider list short on purpose. These are the third parties that may process data, split by where they apply.
Each provider handles data under its own terms. We share only what a task requires, and only after the data firewall has done its work.
10 Reporting a vulnerability
If you have found a security issue with this website or our service, please tell us. Email security@lyncs.ai with enough detail to reproduce it. We will acknowledge your report and keep you updated as we look into it.
11 Precision over hype
We describe only controls that are real and in use today, and we state what we can stand behind rather than imply credentials we have not earned. Formal third-party attestations are part of our security roadmap, and we will publish them here as they are completed.
12 Contact
Security questions, a request about data, or a vulnerability report can all go to security@lyncs.ai. We are LYNCS LLC, the Hybrid AI Operations Partner for local US IT and MSPs.