Scopebase
Security & Trust Center

How Scopebase protects your data

This page describes what Scopebase stores, how uploaded inspection reports are handled, how estimates are secured, and how AI vendors process your data.

SOC 2 status: controls implemented, not yet certified

We have built the security controls described on this page. Scopebase has not undergone a formal SOC 2 Type 1 or Type 2 audit. We do not claim SOC 2 certification.

What Scopebase stores

Estimates and line items: Your saved estimates, line items, MAO scenarios, and related notes are stored in Supabase PostgreSQL and protected by Row Level Security.

Uploaded inspection PDFs: PDFs you upload for parsing are stored temporarily in a private Supabase Storage bucket, then deleted by the retention job. The extracted findings are retained as structured data on your estimate.

Account data: Email, name, subscription status, usage credits, and preferences. Billing is handled by Stripe — we never store card numbers.

Security logs: We log security-relevant events in a hash-chain audit log retained for 90 days.

What Scopebase does NOT store by default

Raw PDF content after the configured retention window
Payment card numbers — Stripe tokenizes all cards
Full request bodies in security logs
Raw chain-of-thought from AI model responses
Third-party advertising or tracking cookies (without consent)
Raw IP addresses in permanent logs (hashed where stored)

How share links work

Share links are read-only, time-limited, and signed. You can revoke any share link from your estimate's share settings. Revoked links return 404 immediately.

Share links do not expose your account, other estimates, or any billing information.

How AI vendors process your data

Estimate generation sends the property address, description, and inspection findings to Anthropic's Claude API. Anthropic's API usage policy prohibits using API data to train models without explicit consent.

We do not send data to any other AI providers for inference unless listed as a subprocessor.

Implemented security controls

Authentication

  • Server-side JWT verification — user IDs are never trusted from client requests
  • HttpOnly session-proof cookies prevent client-side session forgery
  • Admin routes require authenticated admin role with optional IP allowlisting
  • Logout invalidates session via JWT blacklist

Rate Limiting & Abuse Controls

  • Multi-dimensional rate limiting: per IP, per user, per session, and burst windows
  • Durable limits backed by Redis with Supabase fallback — not in-memory
  • Guest estimates limited to 1 per hour per IP
  • Spend cap prevents pipeline runaway costs

PDF & File Handling

  • Uploaded inspection PDFs are validated: magic bytes, size (10 MB max), page count (250 max)
  • Active-content rejection: PDFs with embedded JavaScript, launch actions, or encryption are refused
  • SHA-256 checksum recorded per upload
  • Inspection PDFs are retained only temporarily, then deleted by the retention job

Audit Trail

  • Every security-relevant event is logged: estimates, PDF uploads, admin actions, rate limits, auth events
  • Audit log uses hash-chain integrity — records reference the previous entry's hash
  • Security alerts forwarded to a webhook for external monitoring

Infrastructure

  • All API routes enforce HTTPS — no plaintext connections
  • Content Security Policy (CSP) with nonces on every HTML page
  • HSTS, COOP, CORP headers enabled
  • Outbound API calls restricted to an explicit allowlist — no open egress
  • Supabase Row Level Security enabled on all user-owned tables

Data Deletion

  • Users can delete individual estimates from the dashboard
  • Users can reset personalization memory from Account → Privacy & Data
  • Full account deletion can be requested from Account → Privacy & Data
  • Deletion requests are processed manually within 30 days

Subprocessors

Third-party services that process your data on our behalf. For DPA requests, contact support@scopebase.org.

ServicePurposePrivacy
VercelApplication hosting, CDNPrivacy policy ↗
SupabaseDatabase, authentication, file storagePrivacy policy ↗
AnthropicAI inference for estimate generationPrivacy policy ↗
StripePayment processing and subscriptionsPrivacy policy ↗
ResendTransactional emailPrivacy policy ↗
Upstash RedisRate limiting and caching (hashed keys only)Privacy policy ↗
RentcastARV / comparable sales lookup (ZIP + address)Privacy policy ↗
PostHogProduct analytics (opt-in, cookie-consent gated)Privacy policy ↗

Data retention

30 days default
Inspection PDFs — deleted from private storage after the retention window
90 days
Security audit logs — then archived or purged
30 days (guest)
Anonymous guest estimates — expired automatically
Until deleted
Saved estimates — retained until you delete them or request account deletion
2 years
Stripe billing events — legally required for dispute resolution

Security and privacy questions

To report a security vulnerability, request data deletion, or ask about our data practices:

support@scopebase.org

We respond to security reports and data-deletion requests on a best-effort basis.

Security & Trust | Scopebase