ScoutChecker
JA EN
Log In Get Started Free

Security

Last updated: 2026-05-07

ScoutChecker handles sensitive design data, so we publish the security controls we operate today and the ones on our roadmap. This page exists for transparency.

1. Transport Encryption

  • HTTPS-only: all traffic uses TLS 1.2 or higher. Plain HTTP is automatically 301-redirected to HTTPS.
  • HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains is set on every response, instructing browsers to use HTTPS exclusively.
  • Certificate: ECDSA certificates issued by Let's Encrypt with automated renewal.

2. Data Storage

  • Location: AWS EC2 in the Asia-Pacific (Tokyo) region (Japan).
  • Tenant isolation: every resource (project, file, run) is logically partitioned per account, and cross-account read access is prevented at the application layer.
  • Passwords: hashed with bcrypt (cost factor 12). Plain-text passwords are never stored or transmitted.
  • At-rest encryption: filesystem-level encryption is not yet implemented. We plan to migrate to encrypted EBS volumes and add per-tenant encryption for high-sensitivity data.

3. Access Control

  • Authentication: email + password. Sessions are server-side, with CSRF tokens enforced on every form.
  • Session cookies: HttpOnly, Secure, and SameSite=Lax attributes are set. Cookies are not readable from JavaScript.
  • Authorization: every request to a project, file, or analysis result is checked against the resource owner via Laravel Policies.
  • Security headers: X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: no-referrer-when-downgrade.

4. Analysis Isolation

  • The analysis engine runs entirely on servers under our control. User design data is never transmitted to any external AI cloud or third-party API.
  • Analysis runs are queued and executed asynchronously. Concurrent analyses run in isolated processes and data spaces.

5. Data Deletion

  • Immediate deletion: deleting a project or account removes all related data (DB rows + storage objects) immediately.
  • Backup propagation: deletions reach backup copies within 30 days.
  • Cascade: account deletion removes all projects, libraries, design rule sets, and usage logs owned by the user.

6. Logging and Audit

  • HTTP access logs and error logs are retained for 30 days.
  • Feature usage logs (analysis runs, file uploads, etc.) are retained for service-improvement purposes, in aggregate form without personally identifiable content.
  • Per-user audit logs (login, password change, deletion) visible to the user themselves are planned but not yet implemented.

7. Availability and SLA

The Service is currently free, so no contractual SLA is offered. Operational targets are:

  • Uptime target: 99.5% (≈ 44 hours of downtime allowed per year)
  • Planned maintenance: typically late nights on weekends, with in-product notice.
  • Outage notification: email notification for outages exceeding 30 minutes (planned, not yet automated).

Paid plans, when introduced, will carry a contractual SLA defined in the agreement.

8. Vulnerability Response

  • We continuously apply security updates to Laravel and its key dependencies.
  • Vulnerability reports from third parties are accepted at security@scoutlabo.com. We acknowledge good-faith reports and patch promptly.

9. Compliance Roadmap

We do not currently hold formal security certifications (SOC 2, ISO 27001, etc.). As enterprise engagements mature, we plan to obtain:

  • SOC 2 Type II (medium term)
  • ISO/IEC 27001 (medium term)
  • Self-hosted (VPC / on-premises) deployment for individual contracts

10. Contact

This page is updated as the implementation evolves.