Your data. Your terms.
We hold your brand voice, your reviews, your draft creative — and, with BYOK, the keys you use to call your own AI providers. Here’s exactly how we treat all of it, with verifiable claims. Skip to: BYOK keys · subprocessors · security · auth · breach SLA · privacy · security review · vuln reporting · contact.
Hetzner Falkenstein DE primary. UK ICO registered. GDPR compliant by default.
Tenant API keys + integration secrets envelope-encrypted with NIST-standard AES-256-GCM. TLS 1.3 in transit, HSTS preload-eligible.
Hosted: Clerk (SOC 2 Type II) with passkey, social SSO, optional TOTP. Sovereign: Argon2id (OWASP 2024) offline.
Sovereign tiers put everything on your hardware. Offline-capable licence, no phone-home. We literally have no access.
Subprocessors
Third parties we share customer data with to operate the service. Listed in plain English with what they do and where they’re hosted.
Sub-processor changes are announced 30 days before they take effect via email to your notification address. Subscribe to subprocessor change notifications by emailing [email protected].
How we handle your AI keys (BYOK)
Every Scarif One install is Bring-Your-Own-Keys. You connect a Gemini / Anthropic / OpenAI key in the setup wizard; we call those providers on your behalf, billed directly to your account at retail. We never mark up an API call.
- Stored encrypted at rest: Every key is envelope-encrypted using NIST-standard
AES-256-GCMwith random 12-byte IVs and 16-byte auth tags, master key derived from the install’sSCARIF_SECRET_KEYvia SHA-256. Seelib/secrets.tsin our source. - Never logged in plaintext: The decrypt-for-use path runs inside a single request scope and is never written to disk, logs, or telemetry. We only ever read the key inside a single AI call lifecycle.
- Visible audit log: Every key read is logged with provider, caller (e.g.
ad-generate), timestamp, and outcome. You can see your own log under/securityin your dashboard — no plaintext key, just that the key was read. - Rotation is one click: Generate a new key at the provider, paste it on
/integrations, the old key is overwritten on disk. Step-by-step in our BYOK FAQ. - Leak playbook: If you suspect a key’s been compromised, the provider’s revocation stops billing immediately — see the leak section for our recommended response sequence.
- Sovereign: On a self-host install, your key never leaves your hardware. We literally have no path to read it.
Security posture
- Transport: HSTS-enforced TLS 1.2+ on every connection (max-age 2 years, preload-eligible). Cookies are
HttpOnly+Secure(production) +SameSite=Lax+Path=/. - Encryption at rest: Tenant secrets (AI keys, integration tokens) encrypted with AES-256-GCM. Brand-profile JSON written at file mode
0600. - Session tokens: HMAC-SHA256-signed, 30-day expiry, rotatable per-tenant secret. The Clerk path uses Clerk-managed JWTs in addition.
- Audit log: Every meaningful action logged per-tenant + visible to admins on
/security. AI key access logged separately (see BYOK section above). - HTTP headers: CSP (with violation reporting at
/api/csp-report),X-Frame-Options: DENY,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin, restrictivePermissions-Policy. Verify any time withcurl -I https://scarifone.com. - Rate limiting: Per-tenant on AI + sync routes — protects you from runaway costs and us from abuse.
- Data isolation: Every tenant has its own data dir and signing secret; cross-tenant access requires session impersonation by a super-admin (logged + transparent to you).
- Backups: Encrypted off-site nightly via S3-compatible storage (R2 / B2 / AWS). Retention 30 days for hosted plan. Self-host: BYO backup strategy.
Authentication
- Hosted (Solo / Studio): Authentication via Clerk — SOC 2 Type II certified, supports passkey (WebAuthn), social SSO (Google / GitHub), TOTP 2FA, and Clerk-managed passwords. Clerk handles password hashing, session management, and brute-force protection on the auth surface.
- Sovereign self-host: Authentication via Argon2id with OWASP-2024 parameters (memory 65536 KiB, time 3, parallelism 4), HMAC-signed session cookies, optional TOTP 2FA, single-use Argon2id-hashed recovery codes. Fully offline — Sovereign never contacts Clerk or any external auth provider.
- Dual-auth migration: Existing hosted tenants who signed up before the Clerk pivot keep their Argon2id login indefinitely. An optional in-app banner lets them link a Clerk identity to add passkey / SSO without forced cutover. Their Argon2id password keeps working either way.
- Critical: Authentication and AI-key handling are separate systems. Clerk handles passwords; your AI keys never go through Clerk — they live encrypted on your tenant volume.
Breach notification SLA
If we discover a personal-data breach affecting your tenant, we will:
- Within 72 hours: Email you + the UK Information Commissioner’s Office (ICO) with: scope of breach, data categories affected, root cause (to the extent known), containment steps already taken, and our remediation plan with timeline.
- On resolution: Publish a postmortem on /incidents with the same scope + a “lessons learned” section. We don’t hide bad days — transparency is how we earn the right to ask for trust.
- For Sovereign customers: Breach disclosure is your responsibility (we have no access to your install). We’ll publish any zero-day affecting the Scarif One codebase as a CVE-style advisory on /incidents with a fix release.
Annual security review
Rather than chase a SOC 2 audit we can’t yet afford, we publish a self-audit against OWASP ASVS + CIS Critical Security Controls. Each control is listed with our current status (pass / partial / not-applicable) and supporting evidence. Honest, controllable, no auditor cost — you can verify every claim against our open source.
Read the latest at /security-review.
Privacy + GDPR
- Right to access / portability: One-click JSON export of every file we hold for your tenant via
/securityin the dashboard. - Right to erasure: One-click tenant deletion (with double confirmation) via
/security. The data is gone immediately; we log the deletion request to a separate immutable log. - Data minimisation: We don’t collect what we don’t need. No third-party tracking pixels. No selling data, ever.
- Data residency: Hosted plan EU primary by default. For other regions, take a Sovereign self-host licence and deploy in whichever region your infrastructure supports — your data never leaves it.
- AI training: We never train models on customer data. Your brand voice and generated content stay yours.
- Self-host: Data never leaves your hardware. We literally have no access.
Reporting a vulnerability
Found a security issue? Email [email protected] with details. We acknowledge within 48h and aim to fix critical issues within 7 days. Responsible-disclosure researchers are credited (with permission) on this page once the fix is shipped.
We don’t currently run a paid bounty programme, but we’ll send a personal thank-you, credit you publicly if you’d like, and prioritise your future feedback.
Contact
- General: [email protected]
- Privacy / DPA / data-processing agreements: [email protected]
- Security: [email protected]
- Status (uptime + incidents): status.scarifone.com
Every claim on this page is verifiable. Read it against our open source (search lib/secrets.ts, proxy.ts, lib/auth.ts), run curl -I https://scarifone.com against our headers, or check the live annual security review.
If anything ever isn’t — or if you spot a gap that should be on this page and isn’t — email me directly: [email protected].
— Tom, founder. (Yes, I read every email.)
Want a deeper conversation?
Have specific compliance / data-residency / DPA questions for your buyer? Tom answers them directly.
Talk to Tom →