Customer data is the asset most small businesses can't afford to lose. Here is what we do to protect yours, written without the marketing fog.
How data moves
- Every connection to Scaleplus runs over TLS 1.2+. We don't accept plain HTTP.
- Inside our network, service-to-service calls use mutual TLS.
- Customer data and member data sit in encrypted Postgres on AWS RDS, encrypted at rest with AES-256.
- Backups run hourly, are encrypted, and roll off after 90 days.
Who can see what
- Only the owner and team members they invite see the dashboard data for that business.
- Internally, only on-call engineers can access production, with hardware-key-based SSO and audit logging on every session.
- Stripe, Postmark, Cloudflare, and AWS see only the minimum data they need (see the privacy policy for the breakdown).
Account security
- Passwords are hashed with Argon2id, never stored in plain text.
- Two-factor authentication is available for any account and required for accounts with billing access.
- Active sessions can be reviewed and revoked from Settings → Security.
- Repeated failed sign-ins trigger a 15-minute lockout.
Vulnerability disclosure
If you find a security issue, email security@scaleplusrewards.com with a description and reproduction steps. We acknowledge within 24 hours, fix critical issues within 7 days, and credit researchers in our quarterly disclosure log if requested.
Please don't:
- Test against real customer accounts. Use the demo workspace at dashboard.html with mock data.
- Run automated scanners that generate sustained load.
- Attempt social engineering of staff or other customers.
In return, we won't pursue legal action against good-faith research that respects the rules above.
Compliance
We are working toward SOC 2 Type II (in audit, expected H2 2026). We comply with the Philippines Data Privacy Act of 2012 and applicable provisions of GDPR for our EU users. A signed Data Processing Agreement is available on request for any account on the Growth or Scale tier.
Incident response
If a security incident affects customer data, we notify affected account owners by email and post details on the status page within 72 hours of confirmation.