SOC 2 Type II

System Description

Scalr is a cost effective, drop-in replacement for Terraform Cloud, with feature parity and better GitOps support.

Certifications and Third-Party Assessments

Scalr is SOC 2 Type II certified. Please visit trust.scalr.io to request a copy of the report. We commit to doing at-least-annual penetration testing by reputable third parties. Please visit trust.scalr.io to request an executive summary of the latest report.

Access to Customer Data

A subset of Scalr's Personnel has access to customer data as necessary to support the platform and provide the service. Individual access is granted based on individual role and job responsibilities. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.

Safeguarding of Assets and Information

To safeguard information assets and policy enforcement capabilities available in the Scalr service, the customers' IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Scalr account credentials. As with most cloud services, access to Scalr requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Scalr service, it is the customer's responsibility to manage which users should be given access to the service. Customers should also define when access should be removed.The Scalr service should be considered sensitive and confidential by users of the service. Users should follow information security best practices to ensure that access to their account credentials is appropriately limited, and the information and functionality provided by the Scalr service is protected from unauthorized use. Scalr users are responsible for maintaining the security and confidentiality of their user credentials and are responsible for all activities and uses performed under their account credentials whether authorized by them or not.

Service Termination

The Scalr service can be terminated on the account management page or by contacting Scalr Support.

Password Management

The Scalr service is accessible via the Internet. As a result, great care must be exercised by Scalr users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing the service, users agree to proactively protect the security and confidentiality of their user credentials and never share account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their Scalr accounts.Any loss of control of passwords or user identifications could result in the loss or disclosure of confidential information. Additionally, when establishing Scalr account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.

Reporting Operational Issues

All Scalr services are monitored 24x7 to meet our service commitments. All planned maintenance will be performed in accordance with Scalr's maintenance plan, which is communicated to customers when they sign up for the service. If there is a need to perform emergency maintenance for a vulnerability or bug fix, we will notify customers prior to the work being performed. To get updates in real-time, customers can subscribe to email notifications.On the occasion that Scalr customers observe performance issues, problems or service outages, they can contact Scalr Support to report such issues.

Incidents and Breaches

By establishing Scalr account credentials or accessing its service, customers agree to notify Scalr immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to log out or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion.Scalr encourages users to practice responsible disclosure by notifying Scalr of any potential or confirmed security vulnerabilities. Scalr is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported. Furthermore, Scalr will prioritize and fix security vulnerabilities in accordance with the risk that they pose.

Compliance Issues

Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Scalr users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.

Privacy Policy

You can view our Privacy Policy here. The Policy in effect at the time you use our website affects how we may use your information. We reserve the right to update or modify the Privacy Policy at any time. If we make material changes we will post the updated policy on our website with an updated Effective Date.

Whistleblower Policy

You can view our Whistleblower Policy at scalr.com/policies/whistleblower. Issues can be reported via contacts listed in the policy.

Vulnerability Disclosure and Reward Program

Scalr maintains a public bug bounty program. Valid and in-scope reports might be eligible for a payment. By submitting a security bug or vulnerability to Scalr, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Scalr's prior written approval.

Submit Vulnerability via Email

You are about to submit a report to Scalr via email ( [email protected] ). Detailed and quality reporting is important to Scalr. You must include a working Proof of Concept.

Program Terms and Conditions

•You need to show that you could exploit a vulnerability, but you must not actually exploit it. You must not: access, modify, copy, download, delete, compromise or otherwise misuse others' data.
•If you are performing research, please use your own accounts and do not interact with other users' accounts or data.
•You must not leverage the existence of a vulnerability or access to sensitive or confidential data to make threats, extortionate demands, or ransom requests.
•Your testing must not violate any applicable laws or regulations.
•You are prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Belarus, Russia, Cuba, the Crimea region and other Russian occupied regions of Ukraine, and Syria.
•By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Scalr's prior written approval.
•You will be responsible for any tax implications related to any bounty payment you receive, as determined by the laws of your jurisdiction.
•You must be 18 years of age or older.
•You must not be employed by Scalr or any of its affiliates. You must also not be an immediate family member of someone employed by Scalr or any of its affiliates.
•By reporting a bug, you grant Scalr and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose.
•Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at our discretion.
•Only the earliest, responsibly-disclosed submission of a vulnerability instance with enough actionable information to identify the issue will be marked as valid.

Ineligible Vulnerabilities

•Account squatting by preventing users from registering with certain email addresses
•Attacks requiring MITM or physical access to a user's device
•Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)
•Clickjacking on pages with no sensitive actions
•CSV injection without demonstrating a vulnerability
•Content spoofing and text injection issues without showing an attack vector
•CSRF on unauthenticated forms or forms with no sensitive actions
•Denial of service
•Disclosure of server or software version numbers
•Hypothetical subdomain takeovers without supporting evidence
•Issues that require unlikely user interaction
•Missing best practices in Content Security Policy
•Missing best practices in SSL/TLS configuration
•Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records)
•Missing HttpOnly or Secure flags on cookies
•Open redirect — unless an additional security impact can be demonstrated
•Perceived security weaknesses without concrete evidence of the ability to compromise a user
•Previously known vulnerable libraries without a working Proof-of-Concept
•Public Zero-day vulnerabilities that have had an official patch for less than 1 month
•Rate limiting or bruteforce issues on non-authentication endpoints
•Reports exploiting the behavior of, or vulnerabilities in, outdated browsers
•Reports of spam
•Self-XSS
•Session invalidation or other improved-security related to account management when a credential is already known
•Social engineering
•Software version disclosure / Banner identification issues / Descriptive error messages or headers
•Tabnabbing
•Unconfirmed reports from automated vulnerability scanners
•User/merchant enumeration
•Vulnerabilities only affecting users of outdated or unpatched browsers (less than 2 stable versions behind the latest)

Scope

Changes to our Privacy Policy

The Privacy Policy in effect at the time you use the Scalr service governs how we may use your information. Scalr reserves the right to update or modify the Privacy Policy at any time. If we make material changes we will post the updated policy on this page with an updated Effective Date.

Changes to our Service Commitments

While rare, we may occasionally change our service terms. This includes, but is not limited to, our commitments regarding security, confidentiality, performance or availability. In the event that we intend to make such changes, we will notify the business contact for the organization at the email address we have within our customer database at least thirty (30) days prior to such changes taking effect.

Contacting Scalr

For general inquiries, please contact us at Scalr Support.