Trust Center

How we protect your data

ScaleQuality reads engineering metadata (commits, PRs, boards) to generate quality intelligence. This page explains what we collect, what we don't, and how we keep your data isolated, encrypted, and auditable.

01Principles

Anti-surveillance by design

Metrics are team-aggregated, never per-author. We don't collect AI prompt content, nor track keystrokes. No engineer is exposed.

Multi-tenant isolation

Every query carries a mandatory orgId. No silent cross-tenant fallback — verified by automated checks in CI.

Data residency

Data lives in us-east-1 (AWS). Regional replicas (EU / Brazil) are available on the Enterprise plan upon request.

Least privilege

OAuth tokens for your integrations (GitHub, Jira, Azure) use the smallest scope required. No keys are shared across services.

02Compliance and frameworks

Active adherence below. DPA requests, sub-processor lists, and security questionnaires are answered within 5 business days.

SOC 2 Type II

Audit kicked off with an independent firm. Type I report expected 2026 Q4; Type II 2027 Q3.

In progress

LGPD (Brazil)

We act as Data Processor (Art. 5, LGPD). DPA available upon request. DPO appointed.

Compliant

GDPR (EU)

SCC addendum available for EU customers. Data subject rights served via the privacy portal.

Compliant

ISO 27001

On the 2027 roadmap. We already follow aligned operational controls (incident mgmt, retention, encryption).

Planned

03How we handle your data

Encryption in transit (TLS 1.2+) and at rest (AES-256 on RDS and S3).

Daily RDS backups with 30-day retention and point-in-time recovery.

Per-organization audit logs, CSV-exportable by administrators.

Default retention 24 months; customers can negotiate shorter terms.

Right to be forgotten: full deletion within 30 days of formal request.

We never train AI models on your data. Period.

04Sub-processors

Providers that process data on our behalf. Changes to this list are notified to Enterprise customers 30 days in advance.

Provider	Purpose	Region
Amazon Web Services	Hosting, database and storage	us-east-1
Stripe	Payment processing	Global
Amazon SES	Transactional email delivery	us-east-1
Cloudflare	CDN and DDoS protection	Global

05AI telemetry connectors

When an organization connects a provider to bring in real usage and billing telemetry, the key is encrypted at rest with AES-256-GCM. No endpoint returns the secret in any response. These are the exact scopes each connector uses.

Anthropic (Claude / Claude Code)

Reads org-wide input/output tokens + cost via the Admin Usage Report API.

Scope read

Admin key (read-only, org-wide)

Cursor

Reads team members, 30-day spend and per-event tokens via the Cursor Team Admin API.

Scope read

Team admin API key

Key encrypted at rest AES-256-GCM with a random IV per value. Auth tag validates integrity. Never appears in any API response or log. Supports rotation, disconnect and test-connection without ever exposing the secret.

Security team

Found a vulnerability? Questions about our threat model? Need a DPA, SCCs, or a filled-out security questionnaire? Reach out — we reply within 1 business day.

security@scalequality.io security.txt

Last reviewed: May 20, 2026