Security & Compliance

Our Commitment to Security

At ScrumEye, security is not an afterthought—it's built into everything we do. We understand that you're trusting us with sensitive information about your offshore teams and projects. We take that responsibility seriously.

This page outlines our security practices, infrastructure, and compliance standards to help you understand how we protect your data.

Security Features

Data Encryption

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS 1.3), the latest and most secure encryption protocol available.

Encryption at Rest

All sensitive data stored in our databases and file systems is encrypted using AES-256 encryption, the same standard used by banks and government agencies.

Key Management

Encryption keys are managed using industry-standard key management services with regular rotation and strict access controls.

Infrastructure Security

Cloud Hosting

ScrumEye is hosted on Amazon Web Services (AWS), a SOC 2 Type II certified cloud infrastructure provider. Our infrastructure benefits from AWS's comprehensive security controls and compliance certifications.

Network Security

• Web Application Firewall (WAF) to protect against common attacks
• DDoS protection to ensure service availability
• Virtual Private Cloud (VPC) isolation for network segmentation
• Intrusion detection and prevention systems

Database Security

• Encrypted database connections
• Automated backups with encryption
• Multi-region replication for disaster recovery
• Regular security patches and updates

Application Security

• Secure coding practices following OWASP guidelines
• Regular dependency updates and vulnerability scanning
• Input validation and sanitization
• Protection against SQL injection, XSS, and CSRF attacks

Access Controls

Authentication

• Secure password requirements with minimum complexity standards
• Session management with automatic timeout

Authorization

• Role-based access control (RBAC) system
• Principle of least privilege for all user roles
• Granular permissions for different features and data
• Audit logging of all access attempts

Employee Access

Internal access to customer data is strictly controlled and monitored:

• Limited number of authorized personnel
• Access only granted for legitimate support purposes
• All access logged and regularly reviewed
• Background checks for all employees with data access

Monitoring and Incident Response

24/7 Monitoring

Our systems are monitored around the clock for security threats, performance issues, and anomalous behavior. Automated alerts notify our security team of potential issues in real-time.

Incident Response Plan

We maintain a documented incident response plan that includes:

• Clear procedures for detecting and responding to security incidents
• Defined roles and responsibilities for incident response team
• Communication protocols for notifying affected customers
• Post-incident review and remediation procedures

Vulnerability Management

• Regular vulnerability scanning and penetration testing
• Prompt patching of identified vulnerabilities
• Third-party security audits performed quarterly

Compliance

Data Protection Regulations

ScrumEye is compliant with major data protection regulations:

• GDPR: General Data Protection Regulation (EU)
• CCPA: California Consumer Privacy Act
• SOC 2 Type II: In progress (expected Q2 2025)

Industry Standards

We follow industry best practices and standards:

• OWASP Top 10 security guidelines
• CIS (Center for Internet Security) benchmarks
• NIST Cybersecurity Framework
• ISO/IEC 27001 information security standards

Data Privacy

Data Minimization

We only collect and store data necessary to provide our services. We never access your actual source code—only metadata like commit messages, timestamps, and activity metrics.

Data Retention

We retain your data only as long as necessary to provide services or comply with legal obligations. When you delete your account, we permanently delete your data within 30 days.

Data Location

Your data is stored in secure data centers in the United States. For enterprise customers, we can accommodate specific data residency requirements.

Data Portability

You can export your data at any time through our dashboard. We provide data in standard formats (JSON, CSV) for easy migration to other services.

Third-Party Integrations

ScrumEye integrates with third-party services like JIRA, GitHub, and Slack. These integrations use OAuth 2.0 for secure authentication and follow the principle of least privilege—we only request the minimum permissions necessary.

We do not store your credentials for these services. Instead, we use secure tokens that can be revoked at any time. All third-party integrations are reviewed for security compliance.

For a list of our current integrations and their security practices, please see our Features page.

Business Continuity

Backup and Recovery

• Automated daily backups with encryption
• Multi-region backup replication
• Regular backup restoration testing
• Point-in-time recovery capabilities

Disaster Recovery

We maintain a comprehensive disaster recovery plan with:

• Recovery Time Objective (RTO) of 4 hours
• Recovery Point Objective (RPO) of 1 hour
• Failover capabilities to alternative data centers
• Regular disaster recovery drills

Security Best Practices for Users

While we implement strong security measures, you also play a crucial role in keeping your account secure:

• Use strong, unique passwords for your ScrumEye account
• Don't share your login credentials with others
• Review and audit user access regularly
• Report any suspicious activity immediately
• Keep your browser and devices updated
• Be cautious of phishing attempts

Reporting Security Issues

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

We appreciate responsible disclosure and will acknowledge security researchers who help us improve our security.

Security Updates

This page is updated regularly to reflect our current security practices. For significant changes, we'll notify customers via email. Last updated: October 20 2025.

Questions?

If you have questions about our security practices, please contact us: