How Scopebase protects your data
This page describes what Scopebase stores, how uploaded inspection reports are handled, how estimates are secured, and how AI vendors process your data.
SOC 2 status: controls implemented, not yet certified
We have built the security controls described on this page. Scopebase has not undergone a formal SOC 2 Type 1 or Type 2 audit. We do not claim SOC 2 certification.
What Scopebase stores
Estimates and line items: Your saved estimates, line items, MAO scenarios, and related notes are stored in Supabase PostgreSQL and protected by Row Level Security.
Uploaded inspection PDFs: PDFs you upload for parsing are stored temporarily in a private Supabase Storage bucket, then deleted by the retention job. The extracted findings are retained as structured data on your estimate.
Account data: Email, name, subscription status, usage credits, and preferences. Billing is handled by Stripe — we never store card numbers.
Security logs: We log security-relevant events in a hash-chain audit log retained for 90 days.
What Scopebase does NOT store by default
How share links work
Share links are read-only, time-limited, and signed. You can revoke any share link from your estimate's share settings. Revoked links return 404 immediately.
Share links do not expose your account, other estimates, or any billing information.
How AI vendors process your data
Estimate generation sends the property address, description, and inspection findings to Anthropic's Claude API. Anthropic's API usage policy prohibits using API data to train models without explicit consent.
We do not send data to any other AI providers for inference unless listed as a subprocessor.
Implemented security controls
Authentication
- Server-side JWT verification — user IDs are never trusted from client requests
- HttpOnly session-proof cookies prevent client-side session forgery
- Admin routes require authenticated admin role with optional IP allowlisting
- Logout invalidates session via JWT blacklist
Rate Limiting & Abuse Controls
- Multi-dimensional rate limiting: per IP, per user, per session, and burst windows
- Durable limits backed by Redis with Supabase fallback — not in-memory
- Guest estimates limited to 1 per hour per IP
- Spend cap prevents pipeline runaway costs
PDF & File Handling
- Uploaded inspection PDFs are validated: magic bytes, size (10 MB max), page count (250 max)
- Active-content rejection: PDFs with embedded JavaScript, launch actions, or encryption are refused
- SHA-256 checksum recorded per upload
- Inspection PDFs are retained only temporarily, then deleted by the retention job
Audit Trail
- Every security-relevant event is logged: estimates, PDF uploads, admin actions, rate limits, auth events
- Audit log uses hash-chain integrity — records reference the previous entry's hash
- Security alerts forwarded to a webhook for external monitoring
Infrastructure
- All API routes enforce HTTPS — no plaintext connections
- Content Security Policy (CSP) with nonces on every HTML page
- HSTS, COOP, CORP headers enabled
- Outbound API calls restricted to an explicit allowlist — no open egress
- Supabase Row Level Security enabled on all user-owned tables
Data Deletion
- Users can delete individual estimates from the dashboard
- Users can reset personalization memory from Account → Privacy & Data
- Full account deletion can be requested from Account → Privacy & Data
- Deletion requests are processed manually within 30 days
Subprocessors
Third-party services that process your data on our behalf. For DPA requests, contact support@scopebase.org.
| Service | Purpose | Privacy |
|---|---|---|
| Vercel | Application hosting, CDN | Privacy policy ↗ |
| Supabase | Database, authentication, file storage | Privacy policy ↗ |
| Anthropic | AI inference for estimate generation | Privacy policy ↗ |
| Stripe | Payment processing and subscriptions | Privacy policy ↗ |
| Resend | Transactional email | Privacy policy ↗ |
| Upstash Redis | Rate limiting and caching (hashed keys only) | Privacy policy ↗ |
| Rentcast | ARV / comparable sales lookup (ZIP + address) | Privacy policy ↗ |
| PostHog | Product analytics (opt-in, cookie-consent gated) | Privacy policy ↗ |
Data retention
Security and privacy questions
To report a security vulnerability, request data deletion, or ask about our data practices:
support@scopebase.orgWe respond to security reports and data-deletion requests on a best-effort basis.