Legal

Privacy

Agreements & Policies

Terms of Services

SYNOLOGY AI SECURITY & PRIVACY PRACTICES

Updated June 2025 Archived versions

At Synology, safeguarding user privacy is our top priority. We adhere to strict data privacy and transparency standards, ensuring that all data handling aligns with ethical and regulatory requirements. This commitment remains unchanged as we integrate AI into our productivity tools. This document outlines how AI is implemented in our Synology devices and the security measures we take to protect user data.

I. AI Functionality in Synology Devices

Overview

Synology enables users to integrate third-party AI services into supported productivity packages via our AI management tool, Synology AI Console. Through Synology AI Console, administrators can:

  • Connect Synology AI Console with supported packages and third-party AI APIs, and manage AI access permissions.
  • Enable de-identification features to enhance data privacy.
  • Monitor and track AI usage, including transaction and administrative logs, to maintain comprehensive supervision and data protection.

Note: While Synology does not charge for AI requests, AI features in supported productivity packages may incur costs from your provider. These charges may include test requests during API setup (e.g., clicking "Verify and Save" in AI Console). For billing inquiries, please contact your AI provider directly. See this article for details.

II. Handling of Third-Party AI API Keys

Your API key/token is securely stored locally on your device. Requests to third-party AI providers are sent directly from the Synology device and are not stored in the browser. System administrators can remove the API connection at any time.

III. AI Response Processing

When De-Identification is Enabled

  1. A supported productivity package receives a user request.
  2. The request is forwarded to Synology AI Console, where sensitive data is identified and masked based on administrator-defined configurations. (Learn more about de-identification.)
  3. The masked request and prompt are forwarded to the AI provider.
  4. The AI provider's Large Language Model (LLM) generates a response.
  5. The response is sent back to Synology AI Console, where a log is recorded locally. (Learn more about logs.) Masked data is restored before returning the response.
  6. Synology AI Console forwards the final response to the supported productivity package.
  7. The supported productivity package returns the output to the original format before displaying it to the user.

When De-Identification is Not Enabled

  1. A Synology package receives a user request.
  2. The request is sent directly to the AI provider's LLM for processing.
  3. The AI provider generates a response and returns it to Synology AI Console, where a log is recorded locally. (Learn more about logs.)
  4. The Synology AI Console forwards the response to the package.
  5. The supported productivity package returns the output to the original format before displaying it to the user.

IV. Data Security & Retention

Data Sent to AI Providers

MailPlus

Synology MailPlus only transmits text-based content, including the subject, recipient details, sender information, and email body. Attachments are not included. Information sent to AI providers, along with received feedback, is stored within the Synology AI Console log. Synology MailPlus does not retain any AI-related data. Data is transmitted to AI providers only when users actively engage AI functions. Refer to this article for details on AI functions.

Office

Synology Office only transmits text-based content, including the document title and body. User information, such as document owners and editors, is not included. Additionally, Synology Office features a memory mechanism that retains users' past conversations to provide a smoother AI interaction experience. However, these records are periodically cleared and immediately erased when users leave the page, and users can also manually clear these records at any time.

Information sent to AI providers, is stored within the Synology AI Console log. Synology Office does not retain any AI-related data. Data is transmitted to AI providers only when users actively engage AI functions. Refer to this article for details on AI functions.

De-Identification Mechanism

The de-identification feature in Synology AI Console enhances user privacy by detecting and masking sensitive data before requests are sent to AI providers. This mechanism uses:

  • Language models to analyze text semantics, identifying and dynamically masking sensitive information.
  • Predefined rules (regular expressions) to recognize common data types (e.g., ID numbers, driver's licenses, dates) for selective anonymization based on administrator settings.

While highly accurate, de-identification does not guarantee 100% masking of all sensitive data. Only data types selected by admins are anonymized, ensuring flexibility while maintaining security.

De-Identification Requirements

  • Container Manager must be installed on the Synology device.
  • A minimum of 8 GB RAM is required; the system checks available memory before enabling the feature.

Note: Selecting more de-identification data types in the admin console may decrease the accuracy of AI-generated responses.

V. Data Usage & Privacy Commitment

Will Synology Use or Sell User Data?

Synology prioritizes user privacy and data security. We do not sell user data. Every AI request is logged to support audit and regulatory requirements. These logs are stored locally in the Synology device, ensuring full user control. Neither Synology nor third parties can access these logs without user permission.

By default, input and output data recording is disabled. Administrators can configure custom log retention policies via Synology AI Console > Logs > Settings.

What is Synology's Role in AI Integration?

Synology provides a platform for integrating third-party AI providers using your own API keys. Synology does not determine which data you send to third-party AI providers, nor does Synology process or control your data when you use AI functions in supported productivity packages. You retain full control over the information shared with AI providers on Synology devices, including the option to use the de-identification feature. As such, when transmitting personal data to third-party AI providers through Synology devices, you or your organization are responsible for ensuring data subject's rights are respected, including but not limited to, obtaining any necessary consent, providing required disclosures or notices to data subjects concerning the use of third-party AI providers, and ensuring related data protection measures are in place.

Third-Party AI Providers

While Synology ensures that logs remain user-controlled, AI-generated responses are processed by third-party providers. The following list of third-party providers and their associated terms are provided for informational purposes only. Users should carefully review the provider's privacy policy and any data processing agreement when obtaining API keys to ensure compliance with the applicable laws and your organization's data protection standards.

Supported AI Providers:

VI. Disclaimer on AI Accuracy & User Responsibility

Synology AI features are designed to enhance productivity by providing automated insights. However, due to inherent limitations of AI, responses may not always be accurate, complete, or up-to-date. Users should independently verify AI-generated content before making critical decisions.

Synology disclaims liability for inaccuracies in AI-generated outputs and encourages users to apply their own judgment and seek professional advice when necessary.

Usage Restrictions:

  • AI features must be used strictly for lawful and ethical purposes.
  • Users are prohibited from employing AI in any way that violates local, national, or international laws.