Security & Privacy

How we protect your business data — infrastructure, encryption, and compliance.

Encryption

  • TLS 1.2/1.3 encryption on all connections (HSTS enabled)
  • Industry-standard password hashing with high cost factor
  • Short-lived authentication tokens with automatic expiry
  • All database connections encrypted in transit

Infrastructure

  • Hosted in EU (Germany) — GDPR-compliant data center
  • Containerized microservice architecture with network isolation
  • Encrypted database with in-memory caching layer
  • Automated daily backups with 30-day retention
  • Enterprise CDN with DDoS protection and Web Application Firewall

Application Security

  • SQL injection, XSS, CSRF, IDOR, path traversal — all verified secure
  • Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) enforced
  • Rate limiting with brute-force protection (auto-lockout after failed attempts)
  • Input validation with schema enforcement on all API endpoints
  • Full security header suite (6 headers active on all responses)
  • Admin routes require database-level role verification
  • Zero information disclosure — no stack traces, no server versions, no technology fingerprints

Quality Assurance

  • 800+ automated end-to-end tests — 99%+ codebase coverage across 68 testing cycles
  • 100% defect resolution rate — every bug identified during testing corrected before production
  • 245 API endpoints stress-tested with malformed and malicious inputs — zero server crashes
  • 100 simultaneous API calls load-tested — zero failures, average response under 50ms
  • Automated testing combined with human QA testing in parallel — real user behavior patterns validated
  • Payment flow verified end-to-end with real Stripe integration (all subscription plans)
  • GDPR Art. 15 (data export) and Art. 17 (right to erasure) verified and fully operational
  • Continuous production monitoring via Sentry + UptimeRobot — incidents resolved within 24 hours

Data Access & Privacy

  • Row-level security — users can only access their own data
  • AI processing via EU-compliant providers — your data is never used for training
  • On-premise AI fallback available for sensitive workloads
  • No third-party analytics or tracking pixels
  • Data deletion available on request within 48 hours

Compliance

  • GDPR compliant — data stored exclusively in EU (Germany)
  • Privacy policy and cookie consent implemented
  • Data Processing Agreement (DPA) available for enterprise clients
  • Right to data portability — export your data anytime in standard formats
  • Incident response: notification within 72 hours per GDPR Art. 33

Your GDPR Rights

  • Right of access (Art. 15) — request a copy of your data
  • Right to rectification (Art. 16) — correct inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data
  • Right to data portability (Art. 20) — receive your data in machine-readable format
  • Right to object (Art. 21) — object to processing of your data
Live System Status

View real-time service availability, uptime history, and incident reports

status.get-scala.com →

Security Contact

To report a vulnerability or request information about our security practices:

[email protected]

Last updated: June 2026