Security
Security Policy
ScopeGrid is engineered for organizations where security, compliance, and data governance are non-negotiable. Here's how we protect your most sensitive business data.
Last updated: january 1, 2026
SOC 2 Type II
Ready Architecture
GDPR
Compliant
ISO 27001
Aligned Controls
HIPAA
Configurable
Data Encryption
- AES-256 encryption for all data at rest
- TLS 1.2+ for all data in transit
- Database-level field encryption for sensitive fields
- Encrypted backup storage with separate key management
Authentication & Access
- Single Sign-On (SSO) via SAML 2.0 and OIDC
- Multi-factor authentication (TOTP, SMS, hardware keys)
- Role-Based Access Control (RBAC) enforced at API level
- Session management with configurable expiry and IP binding
Audit & Monitoring
- Immutable, tamper-evident audit logs for all platform actions
- Real-time security event monitoring and alerting
- User activity dashboards for Organization Administrators
- Log retention for minimum 12 months (Enterprise: configurable)
Infrastructure Security
- SOC 2 Type II certified infrastructure providers
- Multi-region redundancy and automatic failover
- Daily encrypted backups with 30-day point-in-time recovery
- Network segmentation and private VPC architecture
Network & Application Security
- Web Application Firewall (WAF) on all public endpoints
- DDoS protection and rate limiting
- IP allowlisting for organization-wide access control
- Automated vulnerability scanning on every deployment
Incident Response
- 24/7 security operations monitoring
- Defined incident response playbooks
- Customer notification within 72 hours of confirmed breach
- Post-incident reports provided to affected Enterprise customers
Responsible Disclosure Program
We believe in the security research community and operate a responsible disclosure program. If you discover a potential security vulnerability in our platform, we encourage you to report it to us privately so we can address it promptly.
Please report security vulnerabilities to: security@scopegrid.io. Include a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept if available. We will acknowledge receipt within 24 hours and provide a resolution timeline within 72 hours.
Employee Security
All ScopeGrid employees undergo background checks, complete mandatory security awareness training upon hire and annually, operate on a least-privilege access model, are prohibited from accessing customer data except for verified support purposes with customer consent, and are subject to strict confidentiality agreements. We maintain a zero-tolerance policy for unauthorized data access.
