Legal

Security

Last updated · April 29, 2026

Customer data is the asset most small businesses can't afford to lose. Here is what we do to protect yours, written without the marketing fog.

How data moves

Every connection to ScalePlus runs over TLS 1.2+. We don't accept plain HTTP, and HSTS is preloaded.
Customer data and member data sit in managed Postgres on Railway, encrypted at rest, with tenant scoping enforced server-side on every query.
Database backups run on Railway's managed Postgres schedule and are encrypted at rest. Restore drills are practised quarterly.

Who can see what

Only the owner and team members they invite see the dashboard data for that business. Cross-tenant queries return zero rows by design.
Platform admins (a small allowlist) can read across tenants for support; every admin action is recorded in an audit log that tracks both the impersonated user and the real admin.
Xendit, Postmark, Cloudflare, and Railway see only the minimum data they need (see the privacy policy for the breakdown).

Account security

Sign-in is passwordless. We send a one-time magic link to your email; the link is valid for ten minutes and burns on first click. There is no password to leak, phish, or reuse.
The cashier station can be PIN-locked. PINs are hashed (Argon2id) and an attacker gets five attempts before a fifteen-minute cool-off.
Magic links are rate-limited to five per email per hour and bounce/complaint events are honored automatically (Postmark + Resend webhooks feed a single suppression list).

Vulnerability disclosure

If you find a security issue, email security@scaleplusrewards.com with a description and reproduction steps. We acknowledge within 24 hours, fix critical issues within 7 days, and credit researchers in our quarterly disclosure log if requested.

Please don't:

Test against real customer accounts. Use the demo workspace at dashboard.html with mock data.
Run automated scanners that generate sustained load.
Attempt social engineering of staff or other customers.

In return, we won't pursue legal action against good-faith research that respects the rules above.

Compliance

We are working toward SOC 2 Type II (in audit, expected H2 2026). We comply with the Philippines Data Privacy Act of 2012 and applicable provisions of GDPR for our EU users. A signed Data Processing Agreement is available on request for any account on the Growth or Scale tier.

Incident response

If a security incident affects customer data, we notify affected account owners by email and post details on the status page within 72 hours of confirmation.