How Scopebase protects your data
This page describes what Scopebase stores, how uploaded inspection reports are handled, how estimates are secured, and how AI vendors process your data. We write this to be honest and specific — not generic compliance boilerplate.
SOC 2 status: controls implemented, not yet certified
We have built the security controls described on this page. Scopebase has not undergone a formal SOC 2 Type 1 or Type 2 audit. We do not claim SOC 2 certification. We will pursue formal certification when enterprise customer demand justifies the cost.
What Scopebase stores
Estimates and line items: Your saved estimates, line items, MAO scenarios, and related notes are stored in Supabase PostgreSQL and protected by Row Level Security. Only you can read your estimates — share links provide a separate read-only token that you control.
Uploaded inspection PDFs: PDFs you upload for parsing are stored temporarily in a private Supabase Storage bucket for the configured PDF retention window (30 days by default), then deleted by the retention job. The extracted findings are retained as structured data on your estimate.
Actual-report uploads: Files you upload as final project reports are stored in a private bucket. Access requires a 60-second signed URL. You can delete these from your estimate record.
Account data: Email, name, subscription status, usage credits, and preferences. Billing is handled by Stripe — we never store card numbers.
Security logs: We log security-relevant events (logins, estimate creation, PDF uploads, admin actions, rate-limit hits) in a hash-chain audit log. Logs are retained for 90 days then archived.
What Scopebase does NOT store by default
How share links work
Share links are read-only, time-limited, and signed. The link token is hashed before storage — we cannot reconstruct the raw token from our database. You can revoke any share link from your estimate's share settings. Revoked links return 404 immediately.
Share links do not expose your account, other estimates, or any billing information. They show only the estimate they were created for, and optionally allow the recipient to download a PDF if you enabled that permission.
How AI vendors process your data
Estimate generation sends the property address, description, and inspection findings to Anthropic's Claude API. Anthropic's API usage policy prohibits using API data to train models without explicit customer consent.
We do not send data to any other AI providers for inference unless explicitly shown in the subprocessor list below. We do not use your estimate data to train any model on our side.
Implemented security controls
Authentication
- Server-side JWT verification — user IDs are never trusted from client requests
- HttpOnly session-proof cookies prevent client-side session forgery
- Admin routes require authenticated admin role with optional IP allowlisting
- Logout invalidates session via JWT blacklist
Rate Limiting & Abuse Controls
- Multi-dimensional rate limiting: per IP, per user, per session, and burst windows
- Durable limits backed by Redis with Supabase fallback — not in-memory
- Guest estimates limited to 1 per hour per IP
- Spend cap prevents pipeline runaway costs
PDF & File Handling
- Uploaded inspection PDFs are validated: magic bytes, size (10 MB max), page count (250 max)
- Active-content rejection: PDFs with embedded JavaScript, launch actions, or encryption are refused
- SHA-256 checksum recorded per upload
- Inspection PDFs are retained only temporarily for parser support and debugging, then deleted by the retention job
- Actual-report uploads are stored in a private bucket with 60-second signed access URLs
Audit Trail
- Every security-relevant event is logged: estimates, PDF uploads, admin actions, rate limits, auth events
- Audit log uses hash-chain integrity — records reference the previous entry's hash
- Security alerts forwarded to a webhook for external monitoring
- Pipeline runs and step-level timing stored for observability
Infrastructure
- All API routes enforce HTTPS — no plaintext connections
- Content Security Policy (CSP) with nonces on every HTML page
- HSTS, COOP, CORP headers enabled
- Outbound API calls restricted to an explicit allowlist — no open egress
- Supabase Row Level Security enabled on all user-owned tables
- Service-role database key used server-side only — never exposed to clients
Data Deletion
- Users can delete individual estimates from the dashboard
- Users can reset personalization memory from Account → Privacy & Data
- Full account deletion can be requested from Account → Privacy & Data
- Deletion requests are processed manually within 30 days
Subprocessors
Third-party services that process your data on our behalf. All vendors listed below include a link to their privacy policy. For DPA requests, contact support@scopebase.org.
| Service | Purpose | Privacy |
|---|---|---|
| Vercel | Application hosting, CDN | Privacy policy ↗ |
| Supabase | Database, authentication, file storage | Privacy policy ↗ |
| Anthropic | AI inference for estimate generation | Privacy policy ↗ |
| Stripe | Payment processing and subscriptions | Privacy policy ↗ |
| Resend | Transactional email | Privacy policy ↗ |
| Upstash Redis | Rate limiting and caching (hashed keys only) | Privacy policy ↗ |
| Rentcast | ARV / comparable sales lookup (ZIP + address) | Privacy policy ↗ |
| PostHog | Product analytics (opt-in, cookie-consent gated) | Privacy policy ↗ |
Data retention
Backup limitation: Supabase automated backups may retain deleted data until the backup ages out of its retention window. We cannot retroactively purge data from backups already taken.
Security and privacy questions
To report a security vulnerability, request data deletion, ask about our data practices, or request a copy of any DPA:
support@scopebase.orgWe respond to security reports within 2 business days and data-deletion requests within 30 days.