An FAE’s day is not one application
A customer question rarely arrives clean. It starts as a GitHub issue about a thermal throttle, migrates to a Jira ticket when triage assigns it, gets argued in a Discord thread where someone pastes a register dump, and finally lands in your email as a vendor asking for a workaround by Friday. The field applications engineer holding this lives in six tabs at once. The institutional memory that would answer the question — the time a near-identical failure mode was traced to a clock-domain crossing two quarters ago — is scattered across the same six surfaces, owned by whoever happened to close the ticket.
Most software answers this by demanding you come to it: paste the thread into our box, connect your inbox, grant our integration read access to the workspace. Each of those is a new place your customer’s confidential silicon details now live. For a buyer whose entire business is other people’s unreleased hardware, that is the wrong direction. The tool should come to the screen the work is already on, and take nothing it does not need.
The companion model
Synchronize runs as a desktop companion. You press Option-Space on whatever is in front of you — the Discord thread, the email, the issue — and it reads that window, matches it against your team’s resolved cases, and surfaces the closest priors in place: how this failure mode was diagnosed before, what the fix was, who signed off. Then it drafts the reply you were about to write. You read it, correct it, and send it. The model is not a database you visit. It is a colleague who looks at what you are looking at, only when you ask.
That phrasing — only when you ask — is the entire security argument, and it deserves to be made precisely rather than promised vaguely.
Consent on the keystroke, not capture in the background
There are two architectures for a tool that reads a screen, and the gap between them is the whole essay. The first captures continuously: it screenshots on a timer, runs OCR, and accumulates a searchable record of everything you have seen. The second captures on invocation: nothing is read until you press the key, the read is scoped to the one window you invoked it on, and nothing is retained once the request returns. Synchronize is the second kind. The trigger is the consent. There is no timer, no always-on recording, no index of your day building up where a future breach could find it.
Map the named principles onto that and the claims stop being adjectives. Least privilege (OWASP): the reader sees the window you summoned it on, not the desktop behind it. Data minimisation (GDPR Article 5(1)(c), where holding more than necessary is itself the violation, not merely a risk): it takes the thread, not the inbox. Ephemerality: the capture is destroyed when its purpose is met, so it cannot compound into a history. Each of these is a mechanism you could test, not a sentence you have to trust.
Recall is the negative control
We know what the other architecture looks like because Microsoft shipped it. Recall, announced May 2024 for Copilot+ PCs, screenshotted the screen every few seconds, OCR’d the text, and built a searchable database of everything the user had seen. Security researcher Kevin Beaumont found that database stored as plaintext, unencrypted SQLite, decrypted whenever the user was logged in — meaning ordinary infostealer malware could read a person’s entire visual history with no administrative rights at all. The proof-of-concept that demonstrated it was called TotalRecall.
What matters is how Microsoft fixed it. The re-architecture that followed did not ship a stronger promise. It made the feature opt-in, encrypted the snapshots, put the keys in the TPM behind Windows Hello, and moved decryption inside a virtualization-based security enclave. The repair was structural, not editorial. Same feature, two architectures: plaintext-always-on was indefensible, enclave-gated-opt-in is at least arguable. The lesson an IP-sensitive buyer should extract is not “trust Microsoft now.” It is that always-on capture of everything was the original sin, and the cheapest way to never leak a record is to never accumulate one.
Verifiable beats promised
The standard worth holding to is Apple’s Private Cloud Compute, where the guarantees are enforced by construction rather than by assurance: computation is stateless and retains the request in no form afterward, including logs; there is no privileged runtime access, no remote shell even during an outage; and the design is published on the premise that security researchers must be able to verify it. Most work happens on the device; only the genuinely hard requests leave it. The throughline is that you are not asked to believe a policy — you are given an architecture whose violation would be observable.
This is the distinction security engineers already make between two kinds of control. A privacy policy is a detective control: it tells you what should happen and lets you punish a violation after the fact. On-device, ephemeral, consent-gated capture is a preventive control: the bad thing cannot happen in the first place. You do not protect a vault with a sign that reads please do not steal. “We won’t look at the rest of your screen” is a sign. “The tool only ever receives the window you invoked it on, processes it, and keeps nothing” is a lock.
It ends in a draft you approve
The last guarantee is the one you can feel. Synchronize does not act. It reads the window you pointed it at, finds the priors, and writes a draft into the reply you were already composing. The human stays the actuator. Nothing is sent that you did not send; nothing is read that you did not summon; nothing survives the request that produced it.
We will say plainly what is and is not true today. These are behavioral guarantees enforced by how the companion is built — consent on the trigger, least privilege on the read, ephemerality on the result. The formal attestations that let a procurement team check our work without taking our word for it — a SOC 2 report, a third-party audit of these claims — are on the roadmap, not in hand. We would rather tell you the architecture now and earn the certificate next than wear a badge that outruns the build. The point of this whole design is that you should not have to trust us. You should be able to check.