Skip to main content
← Back to Home

SECURITY

Security Policy

Last updated: November 22, 2025

At SCAFFOLD, security is not an afterthought—it’s built into every layer of our platform. This Security Policy outlines the measures we take to protect your data, maintain system integrity, and ensure a secure development environment.

Security at a Glance

ENCRYPTION

All data encrypted in transit (TLS 1.3) and at rest (AES-256)

MONITORING

24/7 security monitoring with automated threat detection

COMPLIANCE

GDPR, CCPA, SOC 2-aligned practices

INCIDENT RESPONSE

Dedicated security team with <1 hour response time

1. Data Encryption

1.1 In Transit

  • TLS 1.3 enforced for all HTTPS connections
  • HSTS enabled to prevent downgrade attacks
  • Certificate pinning for API communications
  • End-to-end encryption for sensitive operations

1.2 At Rest

  • AES-256 encryption for all database records
  • Encrypted backups with separate keys
  • Secure key management using AWS KMS / equivalent
  • Regular key rotation (quarterly minimum)

2. Authentication & Access Control

2.1 User Authentication

  • Bcrypt password hashing (14 rounds minimum)
  • Password requirements: 8+ characters, complexity enforced
  • OAuth 2.0 support for third-party authentication
  • Session management: HTTP-only, secure cookies
  • Account lockout after 5 failed login attempts

2.2 Authorization

  • Role-based access control (RBAC)
  • Project-level permissions (owner, editor, viewer)
  • API key authentication with scoped permissions
  • Principle of least privilege enforced

2.3 API Security

  • Rate limiting: 60 requests/minute per user
  • API key rotation supported
  • Request signing for sensitive operations
  • CORS policies strictly enforced

3. Infrastructure Security

3.1 Hosting & Network

  • Vercel hosting with global CDN and DDoS protection
  • Supabase database with automatic backups
  • Network isolation for production environments
  • WAF (Web Application Firewall) enabled

3.2 Application Security

  • OWASP Top 10 protection
  • SQL injection prevention (parameterized queries)
  • XSS protection (Content Security Policy)
  • CSRF tokens on all state-changing requests
  • Input validation and sanitization

3.3 Dependency Management

  • Automated vulnerability scanning (Dependabot, Snyk)
  • Regular dependency updates
  • Security patch SLA: Critical patches within 48 hours
  • Supply chain security: Package lock files enforced

4. Data Protection

4.1 Data Backups

  • Automated daily backups of all data
  • Point-in-time recovery (PITR) enabled
  • Geo-redundant storage in multiple regions
  • Backup testing: Monthly restore drills
  • Retention: 30-day backup history

4.2 Data Deletion

  • Soft delete: 30-day recovery window
  • Hard delete: Secure erasure after retention period
  • GDPR compliance: Right to be forgotten honored within 30 days
  • Backup purging: Deleted data removed from backups after 90 days

4.3 Data Minimization

  • Collect only necessary data
  • Anonymize analytics data
  • No third-party data sharing without consent
  • Regular data audits to remove unnecessary data

5. Third-Party Security

We carefully vet all third-party services:

SUPABASE

SOC 2 Type II certified, GDPR compliant

Security Details →

STRIPE

PCI DSS Level 1 certified

Security Details →

AZURE OPENAI

Enterprise deployment, no data retention for training

Data Privacy →

VERCEL

SOC 2 Type II certified, ISO 27001 compliant

Security Details →

6. Monitoring & Logging

  • Real-time security monitoring with automated alerts
  • Audit logs for all sensitive operations
  • Failed login tracking and anomaly detection
  • Log retention: 90 days for security events
  • Incident response: <1 hour for critical issues

7. Vulnerability Management

7.1 Security Testing

  • Automated security scans on every deployment
  • Manual penetration testing annually
  • Code review for security-sensitive changes
  • Static analysis (SAST) integrated in CI/CD

7.2 Responsible Disclosure

We welcome security researchers to report vulnerabilities:

  • Email: owner@specdriver.dev
  • Response SLA: Initial response within 24 hours
  • Resolution SLA: Critical vulnerabilities patched within 48 hours

8. Incident Response

Our incident response process:

STEP 1: DETECTION

Automated monitoring detects anomalies. Security team notified immediately.

STEP 2: CONTAINMENT

Isolate affected systems. Prevent further damage.

STEP 3: REMEDIATION

Patch vulnerabilities. Restore from clean backups if needed.

STEP 4: NOTIFICATION

Notify affected users within 72 hours (GDPR requirement).

9. User Security Best Practices

How you can protect your account:

  • Use a strong, unique password (password manager recommended)
  • Never share your password with anyone, including SCAFFOLD staff
  • Report suspicious activity immediately to owner@specdriver.dev
  • Review your project permissions regularly
  • Log out from shared devices

10. Security Contact

If you notice anything suspicious or have security concerns, please contact our security team immediately:

EMAIL

owner@specdriver.dev

RESPONSE TIME

Within 24 hours for security reports

GENERAL SUPPORT

Contact Form

RELATED POLICIES

Privacy PolicyTerms of ServiceCookie PolicyBack to Home