Security Practices

Effective Date: November 10, 2025 | Last Updated: November 10, 2025

Data Protection

ScribeosAI implements industry-standard security measures to protect your data:

Encryption

  • All data is encrypted in transit using TLS 1.2+
  • All data at rest is encrypted using AES-256 encryption
  • Authentication credentials are hashed using bcrypt with appropriate salt
  • Encryption keys are managed securely and rotated regularly

Infrastructure Security

  • Hosted on Google Cloud Platform, a SOC 2 compliant infrastructure provider
  • Benefit from Google's regular security patches and updates
  • Utilize Google Cloud's network segmentation and firewall protection
  • Protected by Google Cloud's intrusion detection systems
  • Shielded by Google's DDoS protection
  • Leverage Google's vulnerability scanning capabilities

Access Controls

  • Role-based access control (RBAC) for tenant data separation
  • Principle of least privilege for application access
  • Account termination procedures for departing users
  • Access logging for security monitoring

Application Security

  • Security-focused code development
  • Input validation to prevent injection attacks
  • Firebase Authentication for secure user management
  • Rate limiting for login attempts
  • Regular dependency updates and security patches

Third-Party Integrations

QuickBooks Online

  • OAuth 2.0 authentication for secure access
  • Refresh tokens managed securely
  • Credentials never stored in plaintext
  • Minimal scopes requested based on functionality needed
  • No permanent storage of QuickBooks data beyond what's required for functionality
  • Compliance with all Intuit developer security requirements

SendGrid Email Integration

  • Secure API key management
  • Email content encrypted in transit
  • Limited access to email templates and configurations
  • Regular monitoring of email delivery metrics
  • No storage of email content beyond delivery confirmation

Stripe Payment Processing

  • PCI DSS compliance for all payment handling
  • No storage of full credit card details on our servers
  • Tokenized payment method storage
  • TLS 1.2+ for all payment data transmission
  • Regular security scans of payment flows

Data Handling Procedures

Data Collection and Processing

  • Only necessary data is collected
  • Clear audit trails of data access and processing
  • Data is processed according to documented procedures
  • Personal data is identified and handled appropriately

Data Storage

  • Data is segregated by tenant
  • Backups are encrypted and tested regularly
  • Production data is not used in development environments
  • Data retention follows configurable policies

Data Deletion

  • Secure data deletion processes
  • Verification of data removal
  • Hardware decommissioning follows NIST guidelines

Compliance

  • Regular internal security audits
  • Vendor security assessment
  • Employee security training
  • Security practices aligned with industry standards

Incident Response

  • Documented incident response plan
  • Security incident response team
  • 72-hour notification for data breaches
  • Post-incident analysis and remediation
  • Regular testing of incident response procedures

Security Responsibility

While we use commercially reasonable security measures, you acknowledge that no system is completely secure, and you are responsible for maintaining local backups of your critical data. We recommend implementing appropriate security measures within your own organization to protect access to your ScribeosAI account and to verify the accuracy of any data processed through our Services.

Our Security Commitment

ScribeosAI leverages enterprise-grade security infrastructure to protect your data:

  • Our application is built on Google Cloud Platform, benefiting from Google's state-of-the-art security infrastructure
  • We implement Google's recommended security practices for cloud applications
  • All data is protected by the same security technology that Google uses to secure its own global-scale services
  • We utilize Google's enterprise-grade encryption for data in transit and at rest
  • Google's advanced threat detection helps safeguard against emerging security threats
  • We implement Role-Based Access Control (RBAC) to ensure users can only access data appropriate for their role
  • Access to customer data is strictly limited to authorized personnel with secure authentication
  • We perform regular system updates and security patches
  • Our infrastructure automatically scales with built-in protection against denial-of-service attacks
  • We're continuously improving our security posture as we grow

For security inquiries or to report vulnerabilities: security@scribeosai.com