Information security and privacy is built into Scribe’s growth, mission and vision. Alongside vulnerability scanning, penetration testing, access control, encryption and data privacy measures, Scribe successfully went through a SOC 2 Type II audit. In fact, we’re one of the few Series A-stage startups to undergo successful audits so early in the life of the company. This audit tested Scribe’s information security programs’ effectiveness of controls upholding the AICPA’s Trust Services Criteria of security.
We are tirelessly committed to protection of your data and your privacy. Scribe’s information security and privacy controls are detailed below.
If you have any additional questions please send us a message using this form https://get.scribehow.com/security/inquiry/
Data protection
Scribe is committed to protecting your privacy. We ensure data protection through several controls. All of this data is encrypted and protected by access control measures and alerting and monitoring systems. Scribe offers SSO integration to ensure users are securely authenticated. Scribe does not sell customer data to any third parties.
All data is encrypted in transit and at rest to ensure protection of your data and privacy.
- Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). You can see our SSLLabs report here.
- Encryption at rest: All of our user data (and backups) is encrypted using AES-256 key encryption.
Employee access to the environment in which customer data is stored is granted on a least permissions basis, highly restricted and monitored.
- Access is granted exclusively for troubleshooting, functionality and security purposes.
- All activity in Scribe’s cloud environment is monitored. Intrusion detection and prevention systems are also in place.
- All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.
Alongside Scribe’s infrastructure-based protection measures, we provide users with authentication and SSO integration capabilities.
- We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.
- We protect our users against data breaches by monitoring and blocking brute force attacks.
- Single sign-on (SSO) is offered for our enterprise customers.
- Role-based access control (RBAC) is offered on enterprise accounts.
All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider.
- Scribe does not collect any payment information and is therefore not subject to PCI obligations. Smart Privacy Screen may be enabled if your users intend to use Scribe for systems that may potentially display PCI data.
Compliance
Scribe has a dedicated internal Security and Compliance Team, has successfully passed a SOC 2 Type II audit, executes HIPAA BAA agreements for Enterprise customers and answers information security questionnaires free of charge.
We offer HIPAA BAA agreements to enterprise companies that need to comply with HIPAA regulations. Scribe’s data privacy and information security measures assist in supporting customer requirements for HIPAA compliance.
Scribe has successfully passed SOC 2 Type II audits. Scribe's SOC 2 Type II report is available upon execution of an NDA. Please contact security@scribehow.comfor Scribe's SOC 2 Type II report.
This certification means that an independent auditor has evaluated our product, infrastructure and policies, and certifies that we meet or exceed specific levels of controls and processes for the security of user data.
In addition, we have purchased third-party software that continuously monitors our infrastructure and ensures we are in compliance with our stated policies and procedures.
Infrastructure
Scribe’s infrastructure is hosted in Amazon Web Services (AWS) in SOC 2 Type II and ISO 27001 compliant data centers. Scribe has backup data center regions to ensure high availability.
All of our hosted services run in the cloud. Our cloud environment is protected by intrusion detection and prevention systems with alerting and monitoring in place. We do not host or run our own routers, load balancers, DNS servers or physical servers. We use Amazon Web Services (AWS) and have no physical infrastructure or physical access to the servers themselves. Our production databases are on Amazon RDS and S3. AWS provides strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here.
Data retention and removal
Scribe has indefinite data retention by default to allow for compliance with an array of customer retention needs. Data is deleted immediately and securely upon request.
Users may request to have their data deleted at any time by writing to support@scribehow.com. Please allow 30 days to process your request.
Business continuity and disaster recovery
We back up all our critical assets and regularly run backup restores to guarantee fast recovery in case of disaster. All our backups are encrypted for data protection.Scribe has redundant data center zones in place with failover capabilities to ensure availability of services and data. Scribe’s RTO is 8 hours and RPO is 24 hours, providing quick restoration of services in the event of an outage and minimal to no data loss.
Coverage
- *.scribehow.com
Exclusions
- status.scribehow.com
- support.scribehow.com
- blog.scribehow.com
Scribe will accept findings for investigation concerning the below categories of vulnerabilities:
- Cross-Site Scripting (XSS)
- Open redirect
- Cross-site Request Forgery (CSRF)
- Command/File/URL inclusion
- Authentication issues
- Code execution
- Code or database injections
This program does NOT include:
- Logout CSRF
- Account/email enumerations
- Denial of Service (DoS)
- Attacks that could harm the reliability/integrity of our business
- Spam attacks
- Clickjacking on pages without authentication and/or sensitive state changes
- Mixed content warnings
- Lack of DNSSEC
- Content spoofing / text injection
- Timing attacks
- Social engineering
- Phishing
- Insecure cookies for non-sensitive cookies or 3rd party cookies
- Vulnerabilities requiring exceedingly unlikely user interaction
- Exploits that require physical access to a user's machine
Security FAQ
Is Scribe HIPAA compliant?
Scribe can support customer requirements for HIPAA. We are also willing to execute BAAs to support customers with HIPAA-related requirements. Users may redact any sensitive information such as PHI that’s recorded, and if customers upgrade to Enterprise, they can enable Smart Privacy Screen to automatically redact sensitive information. This can be enabled at the administrator level such that employees cannot disable Smart Privacy Screen.
Can I have a copy of Scribe’s SOC 2 report?
If we have an executed Mutual Non-disclosure Agreement in place, yes. We are happy to execute our customers’ MNDAs (just ensure it is actually mutual and not a one way NDA - send to morgan@scribehow.com if you have trouble figuring out if it’s mutual).
Why does Scribe request to read all of my web pages?
In short, for functionality. For Scribe to be able to record processes for users, the application and plugin have to read actions on webpages such as clicks and keystrokes. Scribe only collects user actions when directed by the user to record. No browsing information is sent if the user doesn’t interact with the browser extension. Users may turn off the plugin or application at any time. Please refer to Scribe’s Privacy Policy for more information on what we collect and why we collect it: https://scribehow.com/privacy/
What security measures does Scribe have in place?
- External Information Security Audit: Scribe is SOC 2 Type II audited annually to verify the efficacy of our information security and business continuity controls.
- Environment and Access Control: Scribe's infrastructure is designed so that development, staging and production environments are entirely segregated, and access to each is based on a least permissions policy.
- Encryption: Data is encrypted both in transit and at rest using industry-standard encryption measures (AES 256 and TLS 1.2/1.3 tunnels), and Scribe has enabled additional user-side features to allow for redaction of data at the Pro and Enterprise level.
- IPS/IDS: Scribe has intrusion detection and prevention systems, as well as logging and monitoring, to ensure the security of our environment.
- Data Minimization: Scribe collects only user data that is essential to the functionality of our platform. Data collection is user-activated for purposes of recording digital processes. Scribe collects screenshots and action items such as clicks and keystrokes after the user hits "record." Users may stop a Scribe recording at any time.