Synergy is on-premise software. It runs entirely on your own machines and local network. It does not route your input through our servers, and it does not receive, capture, or store what you type or view. This page describes how Synergy works, what data it does and does not handle, and how we manage security. It is intended to support vendor security reviews and procurement assessments.
Summary for reviewers
Synergy shares one keyboard and mouse across multiple computers on the same network. Input events are relayed directly between the controlling machine and the controlled machines over an encrypted connection. There is no cloud service in the path, no hosted data store, and no subprocessor chain handling customer data. This is the core of our security posture: the product has a deliberately small data footprint because it never takes custody of your data in the first place.
Architecture and data flow
A Synergy deployment consists of one server and one or more clients on the same local network.
The server is the machine whose physical keyboard and mouse are shared. The clients are the machines that receive input. When the cursor moves to a client screen, the server sends keyboard and mouse events to that client over the network. Input is relayed in real time and is not written to disk or retained after delivery.
The connection is a direct network link between machines you control. Synergy does not proxy, mirror, or relay this traffic through any external service.
Network and ports
Synergy 1 and the Core communicates over a single TCP port on your local network. The default port is 24800, and it is configurable. No inbound connections from the internet are required. In a segmented or air-gapped environment, Synergy operates without any internet access after activation (see Licensing and activation below).
Encryption in transit
Traffic between the server and clients is encrypted with TLS. Certificates are generated locally and used to secure the connection between your machines. TLS 1.2/1.3 with 4096-bit keys.
Data collected and not collected
Synergy is designed to handle as little data as possible.
Synergy does not log or store keystrokes. Keyboard input is relayed as live events between your machines and is not recorded. Synergy does not capture, record, or transmit screen contents. It shares input only, not display output. Synergy does not send your input or usage content to us or to any third party.
The Enterprise edition uses zero telemetry. Other editions do communicate with our systems in limited, specific cases: license activation, and update checks. These are described below.
Licensing and activation
Except for the Enterprise edition, Synergy uses license activation to validate a purchased license. Online activation for business editions happens upon each server start to ensure license validity. After a license is activated, Synergy runs offline indefinitely and does not need to phone home to keep working. ersonal licenses activate online once and then run offline with no ongoing phone-home.
For isolated and air-gapped environments, Synergy supports offline activation using a challenge-response process. The client generates a short challenge derived from a hardware fingerprint. That challenge is exchanged out of band for a machine-bound response, which the client verifies locally against an embedded public key using Ed25519 signature verification. This allows a fully disconnected machine to be licensed without any network access.
Vulnerability disclosure and security response
We operate a coordinated vulnerability disclosure process and publish security advisories.
Recent examples show the process in practice. We identified, fixed, and disclosed CVE-2026-41477 through our open source upstream base, Deskflow, a local privilege escalation issue affecting the daemon. The fix removed the affected command path from the inter-process protocol and moved daemon configuration to a location protected by standard operating system access controls. We also handled a denial-of-service advisory affecting the TLS connection handling. Advisories are published through the Deskflow open-source project.
Code signing and supply chain
Synergy release binaries are code signed so that customers can verify authenticity and integrity. We use Azure Trusted Signing for code signing.
Synergy is built on Deskflow, the open-source upstream project we maintain. The core input-sharing engine is open source and available for independent review and audit. This means the most security-relevant part of the product can be inspected directly rather than taken on trust.
Compliance posture
SOC 2
Synergy is on-premise software and is not a hosted service. It never receives or processes your data on our infrastructure, so there is no service environment for a SOC 2 audit to cover and no subprocessor chain to assess. We address security through this documentation and through the open-source auditability of the core engine rather than through a SOC 2 report. In our experience the reduced data footprint simplifies vendor security assessments.
Privacy
Because Synergy does not capture keystrokes or screen contents and does not route input through our servers, the personal data it handles is limited to what is required for licensing and, where enabled, update checks and the optional Cloud add-on. Our privacy policy describes what we collect and how it is handled.
Vendor questionnaires
We can complete standard vendor security assessments, including HECVAT, and customer-specific questionnaires on request. This overview is written to map onto the questions those assessments ask.
Contact
For security documentation requests, vendor questionnaires, or to arrange a review call, contact sales@symless.com or support@symless.com.