Security

Production data is sensitive. Here’s exactly how we handle yours — and what we don’t do.

Questions? [email protected]

AI connector access is read-only by design

When you connect an AI assistant, you’re not handing it a key — you’re granting a scoped, revocable authorization.

  • OAuth 2.1 with PKCE (S256). A full consent handshake with a code challenge that can’t be replayed.
  • Read-only. Connected assistants can query your data. They cannot write, modify, or delete anything.
  • Project-scoped. A grant is bound to the single project you authorize — never your whole account.
  • Rotating, revocable tokens. Refresh tokens rotate on every use; a reused stale token revokes the whole family. Revoke any connection in one click.
  • Hashed at rest. Access and refresh tokens are stored only as SHA-256 hashes, compared in constant time.

Authentication

  • Hashed passwords. Passwords are hashed, never stored in plaintext, and verified in constant time.
  • Minimum 12 characters. Enforced at signup and on every change.
  • Brute-force protection. Login attempts are rate-limited and enumeration-safe — wrong email and wrong password fail identically.
  • Hardened sessions. Session cookies are HttpOnly and Secure, expire on a fixed window, and are cleaned up server-side.
  • CSRF protection. Required on state-changing account actions.

API keys

  • Stored as hashes. We keep only a short prefix so you can recognize a key in a list.
  • Shown once. The full key is shown only at creation. We can’t recover it; you rotate it.
  • Authenticated ingest. Every event is authenticated by hashing the presented key and matching it to your project.

Tenant isolation & access control

  • Project-scoped data. Every record is scoped to an organization and project. Queries are filtered to your context on the server.
  • Role-based access. Owner, admin, and member roles, with guards that prevent privilege escalation.
  • Inherited scope. API keys and AI grants inherit the same project scope.

Infrastructure

  • Cloudflare edge. ScryWatch runs entirely on Cloudflare’s global network — Workers, D1, KV, R2, Durable Objects, and Queues.
  • No agents. You send events over HTTPS. There’s nothing for us to install in your environment.
  • Edge hardening. Standard security headers and rate limiting are applied on every request.

Data retention & deletion

  • Plan-based retention. Data is retained for your plan’s window and then permanently purged on a recurring schedule.
  • Project deletion. Deleting a project deletes its data. Owners can do this directly.
  • Full erasure on request. Email us and we’ll confirm complete deletion.

Responsible disclosure

Found something? We want to hear it. Email [email protected] with steps to reproduce. We’ll acknowledge quickly, keep you updated, and credit you if you’d like. Please don’t test against data that isn’t yours.

What we’re working toward

We’re an early, fast-moving product. We don’t yet hold formal certifications, and we’d rather tell you that than imply otherwise. If you have specific compliance requirements, talk to us — we’ll be straight about where we are.