Security built for the data you cannot afford to lose

Security is owned by a named individual at ScanLedger, not diffuse. Every engineer with production access signs a confidentiality agreement, completes security-awareness training, and undergoes a background check before access is granted.

Access to production systems follows the principle of least privilege, is granted only when needed, revoked when not, and logged continuously. Shared credentials are prohibited; everyone uses their own account with MFA enforced.

At rest. All customer data — documents, datasets, inventory records, sales, backups — is encrypted with AES-256. Encryption keys are managed by our cloud provider's key-management service with strict rotation and access policies.

In transit. Every connection uses TLS 1.3 with modern cipher suites and HSTS. HTTP requests are redirected to HTTPS. Certificates are issued by a public CA and auto-renewed.

Sensitive fields. OAuth tokens (e.g. Google Workspace) and webhook secrets are additionally encrypted at the application layer before being written to the database, using per-field keys derived from a master secret held only in runtime configuration.

Passwords are hashed with bcrypt (cost factor appropriate to current guidance) and are never logged or emailed. Minimum length is 8 characters; we block common breached passwords.

Sessions use httpOnly, SameSite cookies with short-lived JWTs. Privilege changes bump user.token_version, instantly invalidating every outstanding token. Logout adds the token to a Redis-backed blacklist for immediate revocation.

SSO. Google OAuth is supported out of the box. Enterprise deployments can restrict sign-in to a specific Google Workspace domain.

Rate limiting. General endpoints: 100 requests/minute per user. Auth endpoints: 5 requests/minute to prevent credential stuffing. Free-tier scans are capped at 5/day.

RBAC. Team workspaces support Owner, Admin, Manager, and Staff roles, plus custom fine-grained roles on Enterprise. Every API call is scoped to the caller's workspace and role.

ScanLedger runs on enterprise-grade managed cloud infrastructure. Compute and databases sit inside a private virtual network; only load balancers and approved ingress points are exposed publicly. Web traffic is fronted by a WAF with rules for OWASP Top 10 threats and basic bot protection.

Databases use managed PostgreSQL with daily automated backups, point-in-time recovery, and geographic redundancy. Redis powers background jobs and token blacklisting and is similarly managed.

All production logs flow into a central, tamper-evident store with alerting on suspicious patterns (authentication anomalies, spike in 5xx errors, unusual egress).

Every change is reviewed by at least one engineer. The CI pipeline runs type checks, linting, automated tests, and dependency vulnerability scanning before a deployment is allowed. We use well-supported frameworks (FastAPI, Next.js) and follow their security guidance.

Common web vulnerabilities are mitigated by default:

• CSRF — state-changing endpoints require CSRF tokens plus SameSite cookies.
• XSS — React auto-escapes output; strict Content-Security-Policy on the frontend.
• SQL injection — SQLAlchemy parameterized queries throughout.
• File upload abuse — content-type validation, extension allowlists, size limits (20 MB images, 50 MB uploads).
• SSRF — outbound requests to user-supplied URLs are blocked from hitting private IP ranges.

We perform periodic penetration testing and are scoping a formal bug bounty. See Responsible Disclosure below.

ScanLedger is an AI product, so we treat AI data handling with the same rigour as any other data-processing activity:

• Data-processing agreements are in place with every AI provider (OpenAI, Google). Customer content sent for OCR or chat is never used to train or improve their models.
• Transit-only. Content is sent over TLS for the duration of each request. We do not instruct providers to persist prompts or outputs beyond what is required to serve the request.
• Human-in-the-loop. Every extracted field carries a confidence score; items below the configured threshold (default 0.85) are flagged for review before they land in a downstream workflow.
• Prompt-injection resistance. User-supplied content is clearly delimited from system instructions, and downstream actions triggered by AI output are validated against an allowlist before execution.
• Output validation. AI-generated structured output is parsed against a JSON schema and type-checked before being written to your data.
• Engine choice. You can pick OpenAI or Gemini as the OCR engine; the choice is workspace-level for future enterprise customers that want regional isolation.

Ownership. You own your data. ScanLedger processes it on your behalf and does not resell, mine, or license it.

Export. Datasets can be exported to CSV or Google Sheets at any time. Original documents can be downloaded individually or in bulk. There is no “data hostage” pattern: if you choose to leave, you take everything with you.

Retention. Paid plans have unlimited active retention. The Free trial keeps an active window of 7 days. Deleted data is purged within 30 days, except where retention is required by law (for example, financial records regulated by your jurisdiction).

Residency. Data is stored in the region configured for your deployment. Enterprise customers can request specific residency; contact us.

Rights. You can request access, correction, export, or deletion of your personal data at any time via [email protected]. See our Privacy Policy for details.

We never touch full card numbers. Payments are handled by Paystack (NGN) and Stripe (USD, CAD, GBP, EUR) — both certified at PCI DSS Level 1. ScanLedger receives only a transaction reference and the last four digits of the card for display purposes.

Incoming payment webhooks are signature-verified before being acted on, and webhook endpoints are rate-limited and replay-protected.

We maintain a documented incident-response plan covering detection, containment, eradication, recovery, and post-incident review. On-call engineers are paged through alert thresholds on availability, error rates, and security signals.

In the event of a confirmed breach involving customer personal data, we aim to notify affected customers within 72 hours of confirming the incident (aligned with GDPR Article 33 guidance), along with what happened, what data was involved, and what actions we and you should take.

Every incident is followed by a written post-mortem published internally and, for significant incidents, summarized publicly on our status channel.

Daily automated backups are stored in a separate region from the primary database and are tested on a rolling schedule. Our target Recovery Point Objective (RPO) is ≤ 24 hours and Recovery Time Objective (RTO) is ≤ 4 hours for a full infrastructure loss scenario; for single-component failures the restoration window is significantly shorter.

ScanLedger's controls are designed to align with widely adopted SaaS security frameworks. Current posture and roadmap:

• GDPR & CCPA — in effect today: DSAR process, export, deletion, and privacy contact.
• PCI DSS — satisfied via scope reduction; all card data flows through certified processors.
• SOC 2 Type II — in progress; control framework implemented, formal audit targeted 2026.
• ISO 27001 — evaluation phase for enterprise customers that require it.
• HIPAA — not currently supported; do not upload Protected Health Information.

If you need documentation for a vendor-security questionnaire or an NDA before we share details, contact [email protected].