Compliant
GDPR
Article 28 DPA available, public subprocessor registry, documented data-subject-rights procedure. The DPO contact is handled by the founder at dpo@getscope.dev.
Built in France, hosted in the EU,
documented to clear IT reviews.
Scope handles strategic information: client briefs, RFPs, estimates, contracts. This page documents, in plain terms, the technical and organisational measures we put in place to protect them.
01
Regulatory compliance
Scope's compliance framework, its progress, and the contractual commitments tied to it.
Roadmap
ISO 27001
Scope is not ISO 27001 certified. Current controls are documented in the README and Trust Center; certification is a 2027 target, conditional on commercial maturity.
Roadmap
SOC 2 Type II
Scope does not have a SOC 2 report today. A controls roadmap exists to prepare a Type 1 audit; no SOC 2 badge is claimed before independent attestation.
Enterprise on demand
HDS / SecNumCloud
Scope is not HDS or SecNumCloud certified and is not designed to process health data. Dedicated or sovereign deployment would be studied only under Enterprise specification.
02
Hosting and data residency
Durable application data (database, files, audit log) is hosted in the European Union. AI processing currently goes through US-domiciled sub-processors (OpenAI, Anthropic) governed by DPA, EU Standard Contractual Clauses, data_collection=deny and minimization. The full list of sub-processors is available on the dedicated page.
Supabase — Dublin (IE)
Postgres, Auth, Storage, Edge Functions. Region eu-west-1 (Dublin), encrypted backups replicated within the same region.
Railway — European Union
Next.js application hosting on a persistent container in the EU West region. Railway Corp. is US-domiciled; Scope does not persist durable customer content on Railway — application data remains in Supabase EU.
Mistral AI — Paris (FR)
Sovereign OCR for text extraction on PDF and image files uploaded as brief pieces, hosted in Paris (GDPR-native, no-training by default). Activated on accounts where the OCR feature is provisioned.
Durable application data resides in the European Union; any transfer is contractually framed.
03
Technical security
Security controls applied by default on every account.
AES-256 encryption at rest
Postgres, object storage and backups are encrypted at rest with AES-256 (keys managed by Supabase, automatic rotation).
TLS 1.3 in transit
TLS 1.3 enforced on all external traffic. HSTS enabled, cookies set with SameSite=Lax and Secure.
User MFA available (TOTP)
Multi-factor authentication (TOTP) available for all users through Supabase Auth, enabled from the user settings. Automatic enforcement for administrators on Business and Enterprise plans is being rolled out (Wave D+2).
SSO and SAML
Google Workspace SSO is available through Supabase Auth. SAML/SCIM remain Enterprise commitments to scope contractually before activation.
Immutable audit logs
Time-stamped audit trail accessible for 90 days (Solo), 12 months (Team and Business, detailed on Business), 24 months SIEM-ready (Enterprise).
IP allowlisting
Source-IP filtering is not enabled by default; it is available only as a dedicated Enterprise requirement after architecture validation.
04
AI and confidentiality
Contractual commitment on what AI subprocessors can do with your data — namely, nothing.
Your data is never used to train the models.
Scope configures OpenRouter calls with the data_collection=deny directive when supported by the provider. Scope's DPA prohibits using customer content to train models; limits and possible transfers are documented in the subprocessor registry.
Restricted AI mode — Enterprise scoping
Disabling or restricting outbound AI calls can be contracted for an Enterprise account. Scope then remains usable for manual editing and exports.
| Provider | Usage | Region |
|---|---|---|
| Anthropic (via OpenRouter) | Primary on scoping note generation and person-day estimation (Claude Sonnet 4.6); fallback on extraction and clarification (Claude Haiku 4.5) | United States · OpenRouter passthrough · data_collection=deny + EU SCCs. EU-resident routing (Bedrock eu-west-3) under validation. |
| Mistral AI | OCR of uploaded PDFs and images (text extraction from brief pieces) | France · Paris · processed in the EU, no Cloud Act |
| OpenAI (via OpenRouter) | Primary on extraction and clarification (GPT-4o mini); fallback on scoping note generation and person-day estimation (GPT-4o) | United States · OpenRouter passthrough · data_collection=deny + EU SCCs |
05
Subprocessors
The exhaustive, always up-to-date list of our subprocessors, with their region and certifications.
06
DPA, terms, legal notices
Contractual documents made available to you.
Data Processing Agreement
Article 28 GDPR addendum with DocuSeal fields, FR and EN versions.
Terms of Service
Master agreement governing use of the Scope service.
Privacy Policy
GDPR compliance, retention periods, data-subject rights.
07
Security / CISO contact
Security questionnaires, audits, vulnerability reports: here is where to write.
How we handle your requests
Scope is a solo project: the founder personally answers security questionnaires, within 5 business days on average. For vulnerabilities, public responsible disclosure programme — no bounty, but a fast response and a public acknowledgement if you wish.
- Email:security@getscope.dev
- DPO:dpo@getscope.dev
- PGP:fingerprint available on request
Write to the security team
CISO question, security questionnaire, planned audit: describe your need and you'll get an answer within 48 business hours.