Security review, self-serve.
Pre-filled SIG Lite, CAIQ Lite, and VRM questionnaires, plus a one-page posture overview. Every answer reflects Scope's actual current build. Items not yet in place are flagged for the post-launch roadmap (target Q3-Q4 2026), not glossed over.
TLS 1.2+ in transit. AES-256 at rest. AES-256-GCM for secrets. API tokens stored as SHA-256 hashes, never plaintext.
Row Level Security on every tenant-scoped table. Cross-tenant reads blocked at the database layer, not just the application.
OAuth 2.0 access tokens scope every request to one tenant. RBAC with five roles, capability-based gating. SSO via SAML 2.0 and OIDC.
Append-only tenant-scoped audit log on every mutation: actor, IP, user agent, before and after state. Exportable as CSV and PDF.
Pre-filled and ready for your review.
One-page posture: architecture, data flow, encryption, access control, hosting, certifications status, incident response.
Standardized Information Gathering (Shared Assessments) Lite, pre-filled across the core control families. Roadmap gaps flagged honestly.
Cloud Security Alliance Consensus Assessments Initiative Questionnaire, mapped to CSA Cloud Controls Matrix domains.
Generic VRM questionnaire covering the questions enterprise procurement teams ask outside of SIG or CAIQ.
Read-only audit of tenant isolation: every table, every Row Level Security policy, every administrative database access path classified. No present cross-tenant exposure found. Additional layered hardening planned for the post-launch roadmap.
SOC 2 Type I in progress with Vanta, expected H2 2026. Type II to follow after Type I issuance. HIPAA BAA available on the claims vertical, per vendor at onboarding. The legal vertical does not process PHI. For anything not covered here, email security@scope.bid.