Security & Compliance

Last Updated: 25.02.2026

Scope Catch takes security seriously. This document outlines our security practices, infrastructure, and compliance standards.

1. Data Encryption

1.1 Encryption at Rest

All stored data is encrypted using:

  • Algorithm: AES-256 encryption
  • Key Management: AWS KMS or equivalent
  • Scope: Database, file storage, backups

What's encrypted:

  • User data (projects, scope definitions)
  • Message content
  • Feedback data
  • Billing information

1.2 Encryption in Transit

All data transmission uses:

  • Protocol: TLS 1.2 or higher
  • Certificate: SHA-256 with RSA encryption
  • Endpoints: All API calls, webhooks, web traffic

Connections:

  • Slack ↔ Scope Catch: TLS 1.3
  • Scope Catch ↔ Gemini API: TLS 1.3
  • Scope Catch ↔ Stripe: TLS 1.3
  • User ↔ Web App: HTTPS (TLS 1.2+)

2. Access Controls

2.1 Authentication

  • Slack OAuth 2.0: Secure workspace authentication
  • API Keys: Encrypted storage, rotated every 90 days
  • Session Tokens: Expire after 30 days of inactivity
  • Two-Factor Authentication (2FA): Required for admin accounts

2.2 Authorization

Role-Based Access Control (RBAC):

  • Users can only access their own workspace data
  • Admins have read-only access (for support)
  • Engineers have production access via audit logging

Principle of Least Privilege:

  • No employee has access to customer data by default
  • Access granted on case-by-case basis for support
  • All access logged and reviewed

2.3 Internal Access Logging

Every data access is logged:

  • Who accessed
  • What data
  • When
  • Why (support ticket reference)

Logs retained for 1 year for audit purposes.

3. Infrastructure Security

3.1 Hosting

  • Provider: Railway (or AWS/GCP)
  • Location: United States (us-east-1)
  • Certifications: SOC 2, ISO 27001, GDPR compliant

3.2 Network Security

  • Firewalls: All services behind firewall (only necessary ports exposed)
  • DDoS Protection: Cloudflare or AWS Shield
  • Intrusion Detection: 24/7 monitoring via Datadog/Sentry
  • VPC Isolation: Database in private subnet (not publicly accessible)

3.3 Server Security

  • Patching: Automatic security updates within 24 hours
  • Hardening: Minimal services, non-root users, SSH key-only access
  • Monitoring: Real-time alerts for suspicious activity
  • Logging: Centralized logging for security events

4. Application Security

4.1 Secure Development

Practices:

  • Code reviews required for all changes
  • Static analysis (ESLint, SonarQube)
  • Dependency scanning (Dependabot, Snyk)
  • Regular security audits

4.2 Vulnerability Management

  • Scanning: Weekly automated vulnerability scans
  • Patching: Critical vulnerabilities fixed within 24 hours

4.3 Input Validation

  • All user input sanitized (SQL injection prevention)
  • XSS protection enabled
  • CSRF tokens on all forms
  • Rate limiting (100 requests/minute per user)

5. Data Backup & Recovery

5.1 Backup Schedule

Data Type Frequency Retention
DatabaseHourly7 days
DatabaseDaily30 days
DatabaseWeekly90 days
Files (PDFs, etc.)Daily30 days

Backup Storage:

  • Encrypted with AES-256
  • Stored in separate geographic region
  • Tested monthly for restore viability

5.2 Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 1 hour

Disaster Recovery Plan:

  1. Automatic failover to backup region
  2. Database restore from latest backup
  3. DNS updated to backup endpoint
  4. User notification via status page

Tested quarterly.

6. Incident Response

6.1 Security Incident Definition

A security incident is any:

  • Unauthorized access to data
  • Data breach or leak
  • Service disruption due to attack
  • Malware or ransomware infection
  • Loss of data

6.2 Incident Response Procedure

Within 1 hour:

  1. Incident detected (automated alerts)
  2. On-call engineer paged
  3. Incident commander assigned

Within 4 hours:

  1. Root cause identified
  2. Containment measures implemented
  3. Affected systems isolated

Within 24 hours:

  1. Full investigation completed
  2. Affected users notified (if data breach)
  3. Post-mortem report drafted

Within 72 hours (GDPR requirement):

  1. Regulatory authorities notified (if applicable)
  2. Public disclosure (if required)

6.3 User Notification

We will notify you if:

  • Your data was accessed by unauthorized party
  • Data breach affects your account
  • Service disruption exceeds 24 hours

Notification via:

  • Email to workspace owner
  • In-app notification
  • Status page update

7. Compliance & Certifications

7.1 Regulatory Compliance

Scope Catch complies with:

  • GDPR (General Data Protection Regulation) - EU
  • CCPA (California Consumer Privacy Act) - USA
  • UK GDPR (Data Protection Act 2018)
  • SOC 2 Type II (In Progress)
  • Slack Platform Security Standards

7.2 Data Processing Agreements (DPAs)

We have DPAs with all third-party processors:

  • Slack (platform)
  • Google (Gemini API)
  • Stripe (payments)
  • Railway/AWS (hosting)
  • Supabase (database)

DPA available upon request: support@scopecatch.com

7.3 Subprocessors

Full list of subprocessors: scopecatch.com/subprocessors

We notify customers 30 days before adding new subprocessors.

8. Data Retention & Deletion

8.1 Retention Periods

Data Type Retention Period
Active accountsWhile in use
Deleted accounts30 days, then purged
Backups90 days
Billing records7 years (legal requirement)
System logs90 days

8.2 Deletion Process

User-initiated deletion:

  1. Run /scopecatch delete-data in Slack
  2. Data marked for deletion immediately
  3. Hard delete within 30 days
  4. Backup purge within 90 days

Automatic deletion:

Inactive accounts (no activity 2+ years): Notified, then deleted after 30 days

9. Employee Access

9.1 Background Checks

All employees undergo background checks before access to production systems.

9.2 Training

Employees receive:

  • Security awareness training (annually)
  • GDPR/privacy training (annually)
  • Incident response training (quarterly)

9.3 Offboarding

When employees leave:

  • Access revoked within 1 hour
  • Credentials rotated
  • Exit interview conducted

10. Third-Party Security

10.1 Vendor Assessment

Before integrating third-party services:

  • Security questionnaire completed
  • SOC 2 / ISO 27001 certification verified
  • DPA signed
  • Annual re-assessment

10.2 API Security

All third-party API calls:

  • Use API keys (not passwords)
  • Encrypted in transit (TLS 1.3)
  • Rate limited
  • Logged for audit

11. Reporting Security Issues

11.1 Responsible Disclosure

Found a security vulnerability?

📧 Email: support@scopecatch.com

Please include:

  • Description of vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact info (for follow-up)

We will respond within 24 hours.

12. Questions?

Security concerns or questions?

📧 Email: support@scopecatch.com

Response time: Within 24 hours

Last Updated: 25.02.2026

© 2026 Scope Catch. All rights reserved.