Security Practices

Data Protection

ScribeosAI implements industry-standard security measures to protect your data:

Encryption

• All data is encrypted in transit using TLS 1.2+
• All data at rest is encrypted using AES-256 encryption
• Authentication credentials are securely hashed by Firebase Authentication
• Encryption keys are managed securely and rotated regularly

Infrastructure Security

• Hosted on Google Cloud Platform, a SOC 2 Type II certified infrastructure provider
• All data is processed and stored exclusively in GCP's us-central1 region (Council Bluffs, Iowa, USA) — no offshore storage, no cross-border data transfer
• Benefit from Google's regular security patches and updates
• Utilize Google Cloud's network segmentation and firewall protection
• Protected by Google Cloud's intrusion detection systems
• Shielded by Google's DDoS protection
• Leverage Google's vulnerability scanning capabilities

Access Controls

• Role-based access control (RBAC) for strict tenant data separation — no customer can access another customer's data
• Principle of least privilege for all application access
• Account termination procedures for departing users
• Access logging for security monitoring

Application Security

• Security-focused code development practices
• Input validation to prevent injection attacks
• Firebase Authentication for secure user management
• Rate limiting for login attempts
• Regular dependency updates and security patches
• Complete audit trails of all document changes and processing operations

QuickBooks Integration

• OAuth 2.0 authentication for secure access
• Refresh tokens managed securely
• Credentials never stored in plaintext
• Minimal scopes requested based on functionality needed
• No permanent storage of QuickBooks data beyond what's required for functionality
• Compliance with all Intuit developer security requirements

Data Handling Procedures

• Only necessary data is collected
• Data is strictly segregated by tenant
• Data is stored on GCP's redundant infrastructure across multiple availability zones
• For paid subscriptions, documents and processed data are retained without limits while your account is active
• For free and trial accounts, documents are retained for 90 days
• You may request deletion of specific documents or your entire account at any time by contacting privacy@scribeosai.com
• Certain data may be retained as required by applicable law

Compliance

• SOC 2 Type II (Infrastructure): Google Cloud Platform, our infrastructure provider, maintains SOC 2 Type II certification. All applications built on GCP benefit from this certified infrastructure.
• GLBA Safeguards Rule: Our administrative, technical, and physical safeguards are consistent with Gramm-Leach-Bliley Act requirements for protecting nonpublic personal financial information.
• PCI DSS: All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. ScribeosAI never stores full card details.
• Intuit Developer Requirements: All QuickBooks integrations comply with Intuit's developer security guidelines including OAuth 2.0, minimal permission scopes, and full audit logging.
• Regular internal security reviews
• Vendor security assessments for all third-party integrations

What We Will Never Do

• Sell or share your client data with third parties for any commercial purpose
• Use your documents or extracted data to train AI models
• Store your QuickBooks password under any circumstance
• Transfer your data outside United States jurisdiction
• Allow cross-tenant data access — your workspace is completely isolated from all other customers

Incident Response

• Documented incident response plan with detection, containment, assessment, and notification protocols
• Post-incident analysis and remediation for security events

For breach notification commitments, see our Terms of Service.