Security at Scampy

Scampy is SOC 2 Type II audited on an annual basis and aligns its control framework with ISO 27001:2022. Independent penetration tests are run at least twice a year and after any significant architectural change. Reports are available to enterprise customers under NDA at security@scampy.app.

• Data in transit is protected with TLS 1.3 across public networks and mTLS between internal services.
• Data at rest is encrypted with AES 256, keyed via a managed KMS with annual rotation.
• Backups and analytics exports are encrypted with separate key material.
• We do not store passwords; account secrets are hashed with Argon2id.

Production access uses single sign on with hardware backed multi factor authentication, short lived credentials, and just in time role elevation reviewed quarterly. All production access is logged to an immutable audit trail.

All deploys flow through code review, automated testing, SAST, secret scanning, and signed container builds. Dependencies are tracked in an SBOM and patched on a defined SLA based on severity.

Scampy runs on hardened cloud infrastructure across multiple availability zones, with network segmentation, private subnets, and a web application firewall in front of public endpoints. Edge traffic is filtered for common attack patterns and abusive automation.

We monitor application, infrastructure, and identity logs in real time. A documented incident response plan governs detection, containment, eradication, recovery, and post incident review. Tabletop exercises are run twice a year. Material incidents are communicated to affected users and regulators within the timelines required by law.

Critical systems are deployed across multiple regions with automated failover. Backups are tested quarterly through full restore drills. Our recovery time objective for the alerts pipeline is under one hour.

For your account, we recommend:

• Enable two factor authentication from your account settings.
• Use a unique, long password stored in a reputable password manager.
• Review active sessions and connected devices periodically.
• Treat unexpected password reset emails as suspicious and contact us.

We welcome reports from security researchers. Email security@scampy.app with a clear description, reproduction steps, and any proof of concept. Our PGP key is published at scampy.app/.well-known/security.txt. We commit to acknowledging reports within two business days, providing safe harbour for good faith research, and crediting researchers on request once a fix is shipped.

Security concerns or questions: security@scampy.app.