In this article, we will cover frequently asked questions regarding Scout's cybersecurity. If there are further questions, please reach out to the Scout Customer Success team for additional information.
Is Scout SOC Compliant?
- Scout RFP is SOC 2 Type II compliant. SOC 2 is the AICPA standard for reporting on controls at service organizations, including software-as-a-service providers. The SOC 2 attestation covers the security and confidentiality trust services criteria.
What Personally Identifiable Information (PII) does Scout store?
- Name and email address are the only required PII. User profile information is only shared with other users within your company or suppliers you invite.
How does Scout protect Personally Identifiable Information (PII)?
- User profile information is encrypted at-rest and in-transit at all times. Individual account access is protected by user authentication, either via email address and strong password or single sign on (SSO). When passwords are used, Scout never stores the original password and protects passwords.
Does Scout handle credit card or any other payment data?
- No, Scout does not handle any credit card or payment data.
What is Scout’s delivery architecture?
- Scout is delivered as a “Software as a Service” platform. The core components of our infrastructure are deployed on Amazon Web Services. Our software stack is built on Ruby on Rails. Scout is multi-tenant. Our architecture is designed for resiliency and scalability, and each tier of our application runs on multiple hosts spread across multiple availability zones and are connected through an Elastic Load Balancer to ensure high availability.
Where is customer data physically stored?
- All customer data is stored within the USA in Amazon Web Services data centers. More information on AWS physical data storage can be found here. All data stored and transmitted within Scout systems is encrypted both at-rest and in-transit. The data is logically segregated and located on Production Level Multi-AZ RDS Postgres instance with continuous incremental backups and daily full backups. The underlying storage of our database and flat file storage technologies are encrypted using industry standard AWS KMS Service encryption. All internal and external data paths are secured using encrypted channels such as HTTPS.
How are data backups stored and secured?
- Database snapshots are taken daily and stored for 35 days and include point-in-time disaster recovery functionality. All database snapshots are encrypted. Object storage (AWS S3) has 99.9999999999% for durability, and all files are encrypted using AES 256 encryption algorithm.
How does Scout limit physical access to its facilities?
- All of Scout’s compute and storage resources are managed virtually through Amazon Web Services. These Data Centers are managed under the AWS Shared Responsibility Model (https://aws.amazon.com/compliance/shared-responsibility-model/) , AWS maintains responsibility for physical access to all underlying hardware and facilities.
How does Scout secure data in transit?
- All internal and external data paths are secured using encrypted channels such as HTTPS / SSL. The Scout application is only accessible to clients and vendors via HTTPS using TLS 1.2.
How does Scout secure data at rest?
- All data and data backups within Scout systems are encrypted at-rest. The underlying storage of our database and flat file storage technologies are encrypted using industry standard AWS KMS Service encryption.
Does Scout perform vulnerability scans?
- Scout performs automated, periodic vulnerability scans on our systems using 3rd party tools, and addresses any critical issues identified.
Does Scout perform penetration scans?
- Yes. Scout uses a third party security company for annual pen tests.
Does Scout have a Security Policy and an Incident Response Plan?
- Yes. Both are available upon request.
Does Scout have Disaster Recovery Plan and how often do you test DR procedures?
- Yes. Available upon request.
What outsourced or subcontracted services are critical to Scout’s operations?
- The majority of our systems run on cloud infrastructure provided by Amazon Web Services. SSAE16 SOC 2 reports are available for our major vendors with a signed non-disclosure agreement in place.
Does Scout require its third party contractors to contractually meet security obligations?
- Yes. Security compliance is written into Scout’s standard contracts with third party providers.
Is Scout a participant in the Privacy Shield policy between the US Department of Commerce and European Union?
- If you would like to enter into Standard Contractual Clauses covering your customer data, please click here to execute a pre-signed copy of the SCCs. If you would like to obtain a review copy of the amendment, please submit a support request.
Is Scout GDPR compliant?
- Yes, Scout meets the compliance obligations of GDPR.
Does Scout support Single Sign On (SSO)?
- Scout supports SAML 2.0, ADFS, as well as several other SSO protocols via our 3rd party authentication service, Amazon's Cognito. Please contact us to discuss your SSO needs.