the boring
stuff, done right.
plain-english version: tls everywhere, encryption at rest, least-privilege internally, and a paper trail. the long version is below.
pre-launch posture.we're publishing what's in place today. soc 2 type ii is in flight — audit window opens q4 2026. report on request shortly after. for the full retention story, see the privacy policy.
in transit..
every connection to scrub — api, dashboard, marketing site — is tls 1.3 only. older ciphers and protocols are rejected at the edge. hsts is enforced site-wide with includeSubDomains and a one-year max-age.
certificates are auto-rotated. requests that fail tls negotiation never reach the application layer.
at rest..
all persisted data — account records, hashed keys, opt-in request logs, billing metadata — is encrypted at rest with aes-256-gcm, with keys managed by the cloud kms and rotated on a schedule.
api content is not persisted by default. request-level logging will be opt-in from the dashboard once we ship it. see privacy §04.
principle of least privilege..
- no human reads prod api content. it isn't written to disk by default — so there's nothing to read.
- 2fa is required for every account on every system that touches production (vercel, convex, github, our domain registrar).
- scoped api keys ship with the api: rotate from the dashboard with no downtime.
how we handle secrets..
customer api keys are hashed, not stored in cleartext. internal service credentials are kept in a managed secret store with access logs; they are rotated automatically and never checked into source control.
pre-commit and ci scanners block accidental secret leaks before they reach the repo.
vulnerability management..
- github dependabot is on, with security updates auto-grouped into prs.
- static analysis (codeql) runs in ci on every push.
- we deploy on vercel: no containers we manage, no servers we patch — the runtime sits behind a managed platform.
- critical patches are reviewed and merged same-day where reasonable; high severity within 7 days.
monitoring & response..
platform-level logs (deploys, function invocations, edge events) go to vercel; database access logs go to convex. we monitor both. customer-impacting incidents get a notice emailed to affected accounts within 72 hours of confirmation, and a public writeup once the issue is fully understood.
a dedicated status page comes with the api launch.
dependencies..
we keep the dependency surface small on purpose. lockfiles are committed and verified in ci. model versions are pinned in code so a behavior change requires a deploy.
the full subprocessor list is in privacy §06 — today it's just vercel and convex.
soc 2 status..
we are not soc 2 certified today. the type ii audit window is targeted to open in q4 2026. once it completes, the report will be available under nda.
gdpr / ccpa rights are honored independent of audit status — see privacy §05.
report a vulnerability..
if you think you've found something, please tell us before you tell the internet. we will:
- acknowledge receipt within 6 hours during business days, 24h otherwise.
- share a triage timeline within 72 hours of the first response.
- credit you in our hall of fame on resolution if you'd like.
- not pursue legal action against good-faith research that respects user data and uptime.
send to security@getscrub.dev. encrypted reports welcome — pgp key on request.
contact..
security disclosures · security@getscrub.dev
privacy questions · privacy@getscrub.dev
everything else · hi@getscrub.dev