Security is in our DNA
As a security company, we hold ourselves to the highest standards. Here's how we protect your data.
Our approach
We build security into every layer of the Scuto platform — from how we write code to how we store your data. Our EDR/XDR agents, cloud scanners, device management tools, and penetration testing engines all operate under the same rigorous security standards we help our customers achieve.
Our security program is built around defense in depth, zero-trust principles, and the assumption that any individual control can fail. We combine automated tooling, regular third-party audits, and a security-first engineering culture to protect your data across every module.
Data protection
How we handle, store, and safeguard your information.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Scan credentials are encrypted with per-organization keys and never stored in plaintext.
Tenant Isolation
Each organization's data is logically isolated at the database level. Scan results, credentials, and configurations are never accessible across tenants.
Access Controls
Role-based access control with Owner, Admin, and Member roles. All API access requires scoped tokens. Internal access follows least-privilege principles.
Audit Logging
Every action is logged with timestamps, actor identity, and context. Audit logs are immutable and retained for the duration of your subscription.
Secure Development
All code changes go through peer review and automated security scanning. We run our own scanners against our platform continuously.
Dependency Management
Automated dependency scanning and updates. Critical CVEs are patched within 24 hours. We maintain an internal SBOM for full supply chain visibility.
Infrastructure security
Enterprise-grade infrastructure with multiple layers of protection.
Cloud Hosting
Hosted on hardened infrastructure with SOC 2 Type II certified providers. Deployed across multiple availability zones for redundancy.
Network Security
VPC isolation, WAF protection, DDoS mitigation, and egress filtering. All internal services communicate over encrypted channels.
Monitoring & Response
24/7 infrastructure monitoring with automated alerting. Anomaly detection on authentication, API usage, and resource access patterns.
Backups & Recovery
Automated daily backups with point-in-time recovery. Disaster recovery plan tested quarterly with documented RTO and RPO targets.
Compliance readiness
Architecture and controls designed to meet leading security frameworks.
SOC 2 Type II
Architecture and controls designed to meet SOC 2 security, availability, and confidentiality criteria. Certification in progress.
ISO 27001
Information security management practices aligned with ISO 27001 requirements.
GDPR
Architecture designed for EU data protection regulation compliance. DPA available on request.
Responsible disclosure
We value the security research community and welcome responsible disclosure of vulnerabilities in our platform. If you believe you've found a security issue, please report it to us.
Email security@scuto.ai with a description of the vulnerability, steps to reproduce, and any supporting evidence. We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours.
We will not take legal action against researchers who act in good faith and follow responsible disclosure practices. We ask that you do not access, modify, or delete user data, and that you give us reasonable time to address the issue before public disclosure.