Security and Compliance

Our customers entrust us with their data, and we take this responsibility very seriously. Keeping our customers' data protected at all times is our highest priority. Here is an overview of the security best practices we follow.

Have questions or feedback? Feel free to reach out to us at [email protected]


All of our hosted services run in the cloud. Customers may also wish, upon request, to run our services on-prem or in their cloud environments. We do not host or run our own routers, load balancers, DNS servers, or physical servers. We use Amazon Web Services (AWS) and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.

Encryption at rest: All of our user data (and backups) is encrypted using AES-256 key encryption.

Data retention and removal

Users may request to have their data deleted at any time by writing to [email protected] Please allow 30 days to process your request.

Business continuity and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted

Responsible disclosure

We encourage everyone to practice responsible disclosure and comply with our policies and terms of service.

Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.

You can report vulnerabilities by contacting [email protected](mailto:[email protected]). Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

  • *
Accepted vulnerabilities are the following:
  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections
This program does NOT include:
  • Logout CSRF
  • Account/email enumerations
  • Denial of Service (DoS)
  • Attacks that could harm the reliability/integrity of our business
  • Spam attacks
  • Clickjacking on pages without authentication and/or sensitive state changes
  • Mixed content warnings
  • Lack of DNSSEC
  • Content spoofing / text injection
  • Timing attacks
  • Social engineering
  • Phishing
  • Insecure cookies for non-sensitive cookies or 3rd party cookies
  • Vulnerabilities requiring exceedingly unlikely user interaction
  • Exploits that require physical access to a user's machine

User protection

We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.

We protect our users against data breaches by monitoring and blocking brute force attacks.

Single sign-on (SSO) is offered for our enterprise customers.

Role-based access control (RBAC) is offered on enterprise accounts.


We offer HIPAA BAA agreements to enterprise companies that need to comply with HIPAA regulations.

Our company is engaging with an independent auditor to receive our SOC 2 Type 2 certification. This certification means that an independent auditor has evaluated our product, infrastructure, and policies, and certifies that we meet or exceed specific levels of controls and processes for the security of user data.

In addition, we have purchased third-party software that continuously monitors our infrastructure and ensures we are in compliance with our stated policies and procedures.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

Employee access

All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.

Create your first Scribe in seconds