This article serves as a comprehensive overview of the robust IT-security infrastructure underpinning the SynergyXR platform.
SynergyXR – IT Security Whitepaper
Background of the Solution
In an era where immersive learning experiences blend seamlessly with cutting-edge technology, our no-code tool stands at the forefront, enabling users to create captivating multi-user journeys in Augmented Reality (AR) and Virtual Reality (VR). The platform's versatility extends across iOS, Mac, PC, and stand-alone VR headsets, providing a seamless and accessible environment for multi-user engagement.
Purpose of the Whitepaper
This document serves as a comprehensive overview of the robust IT-security infrastructure underpinning our platform. As the landscape of AR and VR learning experiences evolves, security becomes paramount. This document aims to enlighten stakeholders, including users, administrators, and partners, about the proactive security initiatives undertaken to safeguard data integrity, user privacy, and the overall reliability of our platform. This whitepaper clearly shows our unwavering commitment to providing a secure, innovative, and sustainable AR and VR learning platform.
Audience
- Users
Individuals leveraging our platform for content creation will gain insights into how their data is protected, ensuring confidence in sharing and collaborating within the immersive environment. - Authors
Those engaged in creating and authoring experiences will understand the security measures in place to foster a secure and distraction-free learning atmosphere for users of the created content. - IT Administrators
Professionals responsible for managing the deployment and security of the platform within their organizations will find detailed information on the architecture and measures implemented.
Cloud-Based Content Backend Security
Overview of the Cloud Infrastructure
Our cloud-based content backend is the cornerstone of the SynergyXR platform, providing a scalable and secure environment for storing and managing user-generated content. The infrastructure is hosted in Microsoft Azure, a reputable cloud service provider, ensuring reliability and adherence to industry-leading security standards.
The SynergyXR backend is a fully hosted service deployed in Microsoft Azure - specifically in EU-West located in the Netherlands. We do not use dedicated servers, we manage ourselves. We rely on many of the security features offered by Microsoft Azure. This includes features like DDoS protection, network isolation, and traffic encryption through HTTPS.
Each customer gets their own instance of the SynergyXR content backend – these instances are called Workspaces. This means that data stored in one Workspace is stored in a separate Blob Storage, ensuring complete data segregation of customer data in SynergyXR. User access is also segregated through Workspace access.
The Microsoft Azure Blob Storage and the associated Content Delivery Network (CDN) are where the raw files of the content are stored. Outbound traffic needs to be allowed for the following types of network traffic:
To manage content, users, spaces and to plan online sessions, users will use the SynergyXR Web Manager. This is a Single-Page Application (SPA) hosted in Microsoft Azure. The Web Manager is written in Java Script using the Quasar Vue.js framework.
To store training results, as part of the Learning Management System (LMS) integration, SynergyXR hosts a Learning Record Store (LRS). This is a CosmosDB mapping of the LMS user ID, the SynergyXR user ID, the 6-digit PIN code generated by the system, and the results obtained during the training. This data is only stored until the training completion has been reported back to the LMS at which point the data is deleted.
In addition to the content backend, SynergyXR makes use of two external services: Photon Enterprise Cloud and Agora Real-Time Video Streaming Service.
Access Controls and Authentication for Cloud Services
Role-Based Access Control (RBAC)
Access to cloud services is governed by RBAC, ensuring that only authorized users have the necessary permissions to configure and manage the Workspace.
In SynergyXR, users can have one of four roles:
- Guest: time-limited user with read-only access. Cannot modify, add, or remove company assets. Can only join existing live sessions.
- Viewer: user with read-only access. Cannot modify, add, or remove company assets. Can create new sessions.
- Author: user with write access. Authors can upload new content, delete content, and save modifications to assets.
- Admin: can manage users - add new user, delete user, and change user access levels.
Authentication Mechanisms
Token-Based Authentication
Users and services connecting to the cloud backend authenticate through token-based mechanisms, adding an extra layer of security during communication.
All API endpoints are fully authoritative requiring a valid access token. When our services connect to Microsoft Azure resources, the connection stays within Microsoft Azure and doesn't cross any network boundaries. However, the connection goes through the shared networking in Microsoft Azure, and to ensure proper security, communication between Blob Storage and our CosmosDB is also HTTPS encrypted.
Secure Identity Management
Integration with secure identity management systems ensures that only valid and authenticated users can access the cloud services. The synergy backend handles secure user authentication via Duende IdentityServer4 which is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core.
All communication between apps and backend is fully authoritative requiring a valid access token. HTTPS is used for all communication secured through TLS.
Outbound traffic needs to be allowed for the following types of network traffic as listed here:
Data Storage Security
Data-at-Rest Encryption
User-generated content, including 3D models, images, PDFs, and videos, is encrypted at rest, preventing unauthorized access to stored data. Microsoft Azure Storage uses service-side encryption (SSE) to automatically encrypt your data when it is persisted to the cloud. Microsoft Azure Storage encryption protects your data and helps you to meet your organizational security and compliance commitments. Read more here.
Key Management
Robust key management practices are employed to safeguard encryption keys, ensuring the confidentiality of user content. We configure all our services to retrieve their sensitive data (connection strings, API keys) from Microsoft Azure Key Vault for additional security.
Backup and Recovery Processes
Regular Backups
Microsoft Azure Backup provides a simple, secure, cost-effective, and cloud-based backup solution to protect your data stored in SynergyXR. Read more here.
Soft Delete
SynergyXR utilizes Soft Delete to protect customer data from accidental deletes or overwrites. This is done by maintaining the deleted data in the system for 30 days. During the retention period, we can help the customer restore a soft-deleted object to its state at the time it was deleted. After the retention period has expired, the object is permanently deleted.
Third-party Services
Photon Enterprise Cloud
Photon is an industry leader in providing fully hosted real-time multi-user services. In SynergyXR we use their “Enterprise Cloud” service ensuring that the service is hosted on dedicated hardware with static IP enabling users of SynergyXR to whitelist these IP-addresses.
Outbound traffic needs to be allowed for the following types of network traffic (see more here):
Photon hosts their service in Microsoft Azure, in the EU-West region, located in the Netherlands.
Agora Real-Time Video Streaming
Agora is a global leader in Real-Time Engagement, providing developers with simple, flexible, and powerful APIs, to embed real-time voice, video, interactive streaming, chat, and artificial intelligence capabilities into their applications.
SynergyXR makes use of their video streaming capabilities to ensure all users see the exact same view of the SynergyXR web browser. Agora maintains a document describing the firewall requirements: https://docs.agora.io/en/video-calling/reference/firewall?platform=unity.
All communication happens over port 443 using TCP, so this rarely causes any issues.
Device and Client Application Security
Security Measures on Devices
Data caching
To optimize the data traffic, all data is automatically cached on the device. Every time a Space is loaded, the system automatically detects if a new version of data is available on the content backend, or if the cached data can be used.
Every time a user logs out of SynergyXR, all cached data is automatically deleted from the device. If a user switches to another Workspace, all cached data is also deleted.
Regular Security Updates
We aim to provide new updates to SynergyXR every three months. New versions of SynergyXR are made available on one of several platforms:
- iOS and iPadOS: iOS app store
- visionOS: Vision app store
- PC: Microsoft Store
- Meta Quest VR devices: Meta Quest Store (App Lab), ManageXR Instant App, ArborXR content sharing, Quest for Business app sharing
- HTC VR devices: HTC VIVE Business App Store, ManageXR Instant App, ArborXR content sharing
- Pico VR devices: Pico Business Store, ManageXR Instant App, ArborXR content sharing
- For manual distribution: The SynergyXR download page: https://portal.synergyxr.com/download
Secure Communication Between Devices
Multi-user Security
All users engaged in multi-user collaborative sessions in SynergyXR download the necessary content directly from the SynergyXR content backend. No customer data is ever transferred over the Photon Enterprise Cloud – only simple data that is necessary to synchronize the experience for all users. This includes 3D positions of users, their rotation in 3D space, as well a remote procedure calls (RPC) for the actions they are performing.
Voice Communication Security
SynergyXR uses Photon Voice hosted on the Photon Enterprise Cloud as Voice over IP (VoIP) technology solution. All voice communication is encrypted – read more here:
https://doc.photonengine.com/voice/current/reference/encryption
User Data Protection
Data Protection Officer
We recognize the paramount importance of safeguarding user data and ensuring compliance with data protection regulations. To further strengthen our commitment to data privacy, we have appointed Sune Wolff, our CTO, as the dedicated Data Protection Officer (DPO).
In this role, Sune Wolff assumes the following key responsibilities:
- Regulatory compliance
- Policy development
- Data subject rights
- Monitoring and auditing
- Privacy impact assessments.
Privacy policy and data handling practices
Given the international user base, we are committed to GDPR compliance. User consent mechanisms, data access requests, and data erasure policies are integral components of our solution.
Please see our Data Processing Agreement which is part of our general Terms & Conditions (see Schedule 1 of: https://synergyxr.com/terms-and-conditions/)
Real-Time Monitoring and Logging
System and Application Monitoring
We use Microsoft Azure Security Center which provides unified security management and advanced threat protection across cloud workloads. Microsoft Azure Security Center continually monitors and enhances our security posture. This tool keeps us informed about compliance,
provides security recommendations, identifies potential attack paths, and highlights areas for improvement. It's a crucial component in our commitment to maintaining a secure environment.
Company Security Initiatives
Security Officer
We recognize the critical importance of a dedicated leadership role in ensuring the ongoing effectiveness of our security initiatives. Sune Wolff, our Chief Technology Officer, has been appointed to the position of Company Security Officer. In his role, Sune Wolff undertakes:
- Strategic oversight
- Policy development
- Risk management
- Incident response leadership
- Technology evaluation
- User education and awareness
Company User Access Management
As a company, SynergyXR uses Microsoft Entra ID (previously known as Azure Active Directory (Azure AD)) as a cloud-based identity and access management service that helps your secure access to your applications and data. All employees use Multi-Factor Authentication (MFA - rolled out via policies) and only a selected few colleagues have access to the Microsoft Azure portal (managed through security groups).
We follow the Principle of Least Privilege regarding user access to ensure employees only have the necessary access rights to fulfill their job. We also perform a periodic user access review, ensuring Principle of Least Privilege is respected.
Part of our offboarding process also ensures that user accounts are deleted/disabled ensuring leaving employees do not have access to any systems, services or tools.
Development Environment
All source code is version-controlled, and under a 3-2-1 backup scheme (3 separate backups, located at least 2 different physical locations, at least 1 of which is off-site).
During development, we have development, test and production environments. Customer data is only stored in the production environment.
Compliance and Certifications
At SynergyXR we have obtained the internationally recognized ISAE 3402 Type 1 attestation. The audit is performed by Grant Thornton in Q1 2025. As part of this process, we have built our Information Security Management System (ISMS) following the guidelines defined in ISO 27002.
Future Security Roadmap
Single Sign-On Support
We do currently not support SSO. The obvious technical option would be to use MSAL (Microsoft Authentication Library) - unfortunately, MSAL is not supported by Unity which is the underlying engine of SynergyXR.
We are currently actively investigating using OAuth using a MSAL-like flow for SSO. We are initially targeting Microsoft Entra ID (Azure AD) as the underlying authentication service, but OAuth should be flexible enough to be used for other authentication systems as well.
Security Assessment
Every two (2) months, we perform various security scans of SynergyXR. This results in a Security Assessment Report – find the latest here.
Penetration Test
We are discussing partnership with Cobalt,utilizing their Pentest as a Service (PtaaS) platform for 3rd party penetration tests. Please, reach out for further inquiries.
References
General Terms & Conditions
You can find the SynergyXR General Terms and Conditions here: https://synergyxr.com/terms-and-conditions/.
Data Processing Agreement
Included in the T&C as “Schedule 1” you can find our DPA.
Service Level Agreement
Included in the T&C as “Schedule 2” you can find our SLA.
Privacy Policy
You can find the SynergyXR Privacy Policy here: https://synergyxr.com/privacy-policy/.
Appendix A: Network Specification
The following IP/ports must be accessible to run SynergyXR – either through proxy settings or firewall whitelisting.
Hostnames and IPs
We don’t always use dedicated IPs. For some scenarios we know the hostnames, and they are always the same not subject to change like “login.synergyxr.com” and “portal.synergyxr.com” but the IPs may be dynamic.
Fundamentals (DNS)
The client will need to be able to make DNS queries to function properly (UDP and TCP port 53).
SynergyXR Backend Hosted by Microsoft Azure
Outbound traffic needs to be allowed for the following types of network traffic as listed here. As this is regular HTTPS traffic it should be possible to do this via proxy.
CDN and Azure Blob Storage
Outbound traffic needs to be allowed for the following types of network traffic as listed here. As this is regular HTTPS traffic it should be possible to do this via proxy
Photon Engine
Outbound traffic needs to be allowed for the following types of network traffic as listed here.