Security Policy

VISUM
SAS registered at the RCS of Creteil (France) under the n° 898 855 036

This Security Policy describes ScrapIn security program and technical and organizational security controls to protect customer data from unauthorized use, access, disclosure, or theft and safeguard the ScrapIn services. As security threats change, ScrapIn continues to update its security program and strategy to help protect customer data and ScrapIn services. As such, ScrapIn reserves the right to update this Security Overview from time to time; provided, any update will not materially reduce the overall protections stated in this Security Overview.

Security Program

ScrapIn maintains a risk-based security assessment program. The framework for ScrapIn security program includes administrative, organizational, and technical safeguards designed to protect ScrapIn services and confidentiality, integrity, and availability of customer data. ScrapIn security program is intended to be appropriate to the nature of the ScrapIn services and the size and complexity of ScrapIn business operations.

Confidentiality

All ScrapIn employees and contract personnel are bound by contractual agreements and ScrapIn internal policies regarding maintaining the confidentiality of customer data and are contractually obligated to comply with these obligations.

People Security

All ScrapIn employees must complete a security and privacy training which covers ScrapIn security policies, security best practices, and privacy principles. All application passwords must be saved on a password manager. Each service must have its unique password. When available, two-factor authentication (2FA) must be enabled. When available, by using a physical key. Otherwise, by using a 2FA application. SMS 2FA is not allowed.

Third Party Vendor Management

Vendor Assessment

ScrapIn may use third party vendors to provide certain services. ScrapIn carries out a security risk-based assessment of prospective vendors before working with them to validate they meet ScrapIn security requirements.

Vendor Agreements

ScrapIn enters into written agreements with all of its vendors which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for customer data that these vendors may process.

Hosting Architecture and Data Segregation

Google Cloud Platform

The ScrapIn services are hosted on Google Cloud Platform (GCP) in Belgium. customer data stored within GCP is encrypted at all times. GCP does not have access to unencrypted customer data. More information about GCP security is available at https://cloud.google.com/docs/security/overview/whitepaper.

Databases

Databases are not open to the world: any connection from a disallowed IP address will be rejected. Only connections from inside ScrapIn internal network (on Google Cloud or on the Tailscale network) are allowed. When possible, data is pseudonymized. In particular, data related to email verifications. Pseudonymization prevents the data to be exploited in case of a breach. OAuth and refresh tokens are stored encrypted, using the `aes-256-cbc` algorithm. Passwords are stored encrypted, using the `bcrypt` function.

Services

For the ScrapIn services, all network access between production hosts is restricted, using access control lists to allow only authorized roles to interact in the production network. Access control lists are in use to manage network segregation between different security zones in the production and corporate environments. Access control lists are reviewed regularly.

Security by Design

ScrapIn follows security by design principles when it designs the services. This includes, the performance of internal security reviews before deploying new services or code; penetration tests of new services by independent third parties; and regular scans to detect potential security threats and vulnerabilities.

Access Controls

Provisioning Access

To minimize the risk of data exposure, ScrapIn follows the principles of least privilege through a role-based-access-control model when provisioning system access. An employee's access to customer data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password and multi-factor authentication enabled. ScrapIn logs high risk actions and changes in the production environment. By default, links holding data (password reset, email change, email validation, etc.) are encrypted using the `aes-256-cbc` algorithm. We leverage automation to detect any deviation from our internal technical standards such as malicious usage.

Password Controls

Users cannot create an account on ScrapIn using a compromised password from the haveibeenpwned.com database.

Logs

The following logs of actions are stored:

  • on Google Cloud Logging, every HTTP request is logged;
  • every user sensitive action is stored in the database;
  • every support agent action is stored in the database.

Vulnerability Management

ScrapIn maintains controls to mitigate the risk of security vulnerabilities by using a third-party tool to conduct vulnerability scans regularly to assess vulnerabilities in ScrapIn infrastructure and systems. Critical software patches are evaluated, tested, and applied proactively.

Customer data Backups

ScrapIn performs the following backups of its data:

  • On-site backups (managed by Google, performed daily), encrypted at rest, through the Advanced Encryption Standard (AES) algorithm (further information can be found at https://cloud.google.com/docs/security/encryption/default-encryption);
  • On-site backups (managed by ScrapIn, performed daily), stored in a Google Cloud Storage bucket (GCS), encrypted at rest via GCS (further information can be found at https://cloud.google.com/docs/security/encryption/default-encryption);
  • Off-site backups (managed by ScrapIn, performed weekly) encrypted through the `age` algorithm.

Last updated: October 18, 2023