← All posts

Zero Trust for a Platform Whose Job Is Trust

June 5, 2026 · 6 min read

By Adegbitẹ Ifeoluwa, Co-Founder & CTO at Genovo Technologies

There is a special irony in building a trust platform: every architectural shortcut you take undermines the product itself. If Synthos certifies datasets, then Synthos’ own integrity is part of every certificate. That is the lens we apply to every design review.

Zero trust, for us, is not a product category — it is the discipline of assuming every layer can be wrong. The frontend does not trust its own role checks: they gate rendering for UX, while enforcement lives at the API on every call. The middleware does not trust an unsigned claim further than routing. Short-lived access tokens rotate against a refresh token, and a stolen access token dies on schedule.

Defense in depth, concretely

Abstract principles become real in the unglamorous details. Registration is gated by CAPTCHA verified server-side and by rate limits enforced at more than one layer, because a bot flood is not just noise — it is sender-reputation damage and a credit-farming vector. Support impersonation exists because support needs it, but it swaps in a short-lived token that cannot renew itself, displays an unremovable banner, and refuses billing and destructive operations for the entire session.

Every privileged action lands in an audit log with actor, target, and timestamp. The log is not a compliance decoration; it is how we would reconstruct an incident, and designing it that way changes what you record.

Security as a product feature

Customers hand us their most valuable asset — training corpora that encode years of collection and generation work. They should be able to interrogate how we treat it: scoped named API keys shown once at creation, optional TOTP two-factor with recovery codes, webhooks with delivery logs, and certificates any third party can verify without an account. Security you cannot inspect is a promise; security you can inspect is a feature.