Security

Security is foundational to everything we build at ScrumGPT. Your project data, team information, and personal details are entrusted to us, and we take that responsibility seriously. This page outlines the measures we employ to protect your data.

ScrumGPT is built on enterprise-grade infrastructure designed for security and reliability:

• Cloud Hosting — our services run on Supabase and industry-leading cloud providers with SOC 2 Type II certification.
• Database Security — all data is stored in isolated, encrypted databases with row-level security policies enforced at the database layer.
• Network Security — all traffic is encrypted in transit using TLS 1.2 or higher. Internal services communicate over encrypted private networks.
• Edge Functions — server-side logic runs in isolated edge environments with no shared state between tenants.

We employ multiple layers of encryption:

• In Transit — all data transmitted between your device and our servers is encrypted using TLS 1.2+.
• At Rest — all stored data is encrypted using AES-256 encryption at the storage layer.
• Backups — database backups are encrypted and stored in geographically separate locations.

We implement robust authentication and access controls:

• Secure password hashing using industry-standard algorithms (bcrypt)
• Session tokens with automatic expiration and rotation
• Row-level security (RLS) ensuring users can only access their own data
• Team-based access controls with granular permission levels
• API keys scoped to minimum required permissions

When AI features process your data, we follow strict security practices:

• Only the minimum necessary context is sent to AI providers
• API calls to AI providers use encrypted connections
• AI providers are bound by data processing agreements that prohibit using your data for model training
• Voice data is processed in real-time and not persisted after transcription
• AI-generated content is attributed to the system, not stored as user data

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider—the highest level of certification in the payments industry. We never store, process, or transmit full credit card numbers on our servers.

We maintain a structured incident response process:

• Automated monitoring and alerting for anomalous activity
• Defined escalation procedures with clear ownership
• Post-incident reviews and public disclosure for material breaches
• Notification to affected users within 72 hours of confirmed data breaches

Security is integrated into our development lifecycle:

• Code reviews required for all changes
• Dependency scanning for known vulnerabilities
• Secrets management with no credentials in source code
• Principle of least privilege applied to all internal systems
• Regular updates and patching of dependencies and infrastructure

Your data is primarily stored in secure data centers. We perform automated daily backups with point-in-time recovery capabilities. Backups are retained for 30 days and are encrypted both in transit and at rest.

We value the security research community. If you discover a vulnerability in our Service, please report it responsibly by contacting us at rdavis@web3domainz.com. We commit to:

• Acknowledging receipt within 48 hours
• Providing regular updates on the resolution
• Not pursuing legal action against good-faith security researchers
• Crediting researchers who help us improve our security (with consent)

For security-related inquiries or concerns, please contact us at rdavis@web3domainz.com.