Trust & security
SCRYPEX Trust Center
What the product actually does today — not a roadmap of aspirational certifications. Built for security teams at growth-stage companies, mid-market organizations, and partners.
Compliance status
SCRYPEX is not SOC 2 certified and has not begun a formal SOC 2 audit as of this page. We do not claim ISO 27001, FedRAMP, or other certifications we have not earned. For security questionnaires contact security@scrypex.com.
Data handling & tenant isolation
- Customer workspaces are keyed by
customer_idacross findings, assets, scans, and audit history. - PostgreSQL row-level security (RLS) restricts reads and writes to tenants you belong to via
auth_user_customer_ids()(owned workspaces and org memberships). - Service-role operations (workers, webhooks, scheduled jobs) run outside the browser and are limited to operational tasks — not exposed to end-user sessions.
Encryption
- In transit: Dashboard, APIs, and webhooks use HTTPS/TLS.
- At rest (platform): Primary data stores are hosted on Supabase/PostgreSQL with provider-managed disk encryption.
- Credential findings: Full credential plaintext is encrypted with AES-256-GCM (
CREDENTIAL_ENCRYPTION_KEY) before persistence; the UI shows masked previews by default. - Integration secrets: Webhook URLs, Jira tokens, Slack tokens, and similar integration credentials are encrypted before storage in
customer_integration_secrets.
Credential reveal controls
- Revealing a stored credential requires an explicit confirmation and a written reason.
- Each reveal is logged to the tenant audit trail as
credential.password_revealed(user, timestamp, IP, finding id). - Reveal attempts are rate-limited per user and finding.
- If audit logging fails, the reveal path fails closed (no plaintext returned).
Scanning authorization & consent
- Onboarding requires you to confirm authorization to monitor domains you add to your workspace.
- Deep Validation (active template scans) requires per-run consent; each authorization is stored in
scan_consent_recordswith user, email, IP, and consent text version. - Deep scans only queue for domains already in your monitored assets.
Retention & deletion (GDPR)
Findings retention while subscribed follows your plan tier (automatic purge of older findings):
- Free / trial: 7 days
- Starter: 30 days
- Business: 60 days
- Pro: 90 days
- MSSP: 365 days
Account deletion (owner-initiated): access is revoked immediately; hard purge runs after a default 30-day grace window (configurable via GDPR_PURGE_GRACE_DAYS). An immutable gdpr_deletions audit row records the request and purge outcome.
Authenticated export and deletion endpoints are available from Settings when signed in (Privacy Policy).
Core subprocessors
The table below lists core infrastructure providers that process customer data to operate SCRYPEX. A fuller list including threat-intelligence APIs is maintained separately and will expand after counsel review.
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase | Primary database, authentication, and file storage for the SCRYPEX application | Account email, workspace configuration, findings, audit logs, encrypted integration secrets | United States (provider region; confirm in order form) |
| Vercel | Dashboard and API hosting, serverless execution, edge delivery | HTTP request metadata, application logs, environment configuration | United States / global CDN (provider) |
| Railway | Background detection workers and scheduled scan jobs | Worker configuration, operational logs, queued job metadata (tenant-scoped) | United States (provider) |
| Anthropic | AI-assisted finding enrichment and remediation narrative generation | Finding titles, severity, and contextual metadata sent for enrichment (not full credential plaintext) | United States (provider) |
| Resend | Transactional email delivery (alerts, account, and product notifications) | Recipient email addresses, alert subject/body content | United States (provider) |
| Sentry | Application error monitoring and performance diagnostics | Scrubbed stack traces, request paths, release metadata | United States (provider) |
| Stripe | Subscription billing and one-time add-on payments | Billing contact, payment method tokens (handled by Stripe), invoice metadata | United States (provider) |
SCRYPEX queries external threat-intelligence and exposure APIs (configured per deployment) using your monitored domains and IPs. Those providers are not listed here until counsel completes a subprocessor review. No customer portal passwords are sent to intel APIs.
Data Processing Agreement (DPA)
A counsel-approved DPA is available on request — not yet published as a self-serve download. Email security@scrypex.com from your company domain with legal contact details. See also DPA request instructions.