Scraplytics - Scrap Yard Management Software
PricingLocations
Sign inStart free trial
Security overview

Security that your auditor can read

Cloud-based ERP raises the bar for what you have to defend. AES-256 at rest, TLS 1.3 in transit, RBAC enforced at every query, an immutable audit log, and compliance work mapped to the standards your enterprise buyer is going to ask about.

Visit the Trust Center Request a security review

What ships with every plan

The security posture below is baseline on Free, Starter, Pro and Enterprise. No bolt-ons, no upsells for the controls a reasonable buyer expects.

Encryption everywhere

All data at rest is encrypted with AES-256. All data in transit uses TLS 1.3 with HSTS enforced. Backups are encrypted with separate per-tenant keys before they leave the database server.

Authentication you control

Email + password with bcrypt hashing, JWT-based sessions with rotating refresh tokens, configurable session timeouts. SSO via Google / Microsoft Entra and SAML 2.0 on Enterprise plans. MFA (TOTP + WebAuthn) ships with every plan.

Role-based access control

Module-level + action-level permissions. Built-in roles (Org Admin, Manager, Operator, Supplier) and custom roles for fine-grained access. Tenant isolation enforced at every database query so two organisations can never see each others data.

Immutable audit log

Every state change writes to an append-only audit log: who, what, when, before/after. Filterable by user, entity type, and time range. Exportable to your SIEM via webhook on Enterprise.

Hardened infrastructure

Production runs on DigitalOcean droplets behind nginx with rate limiting + TRUSTED_PROXY headers. Postgres + Redis run on the same VPC, never exposed to the public internet. SSH is key-only, root login disabled.

Continuous monitoring

Sentry for application errors, BugSink for self-hosted log retention, Uptime-Kuma for liveness checks on every endpoint. PagerDuty wakes the on-call engineer for any P0 anomaly within 60 seconds.

Compliance standards

What is in place today, what we are working on, and what we have explicitly de-scoped.

India DPDP Act 2023

Compliant

Indian customer data stays in Indian DigitalOcean regions. Right-to-correction + right-to-erasure exposed via the admin console.

GDPR (EU)

Compliant

DPA available. Data subject access requests handled in under 30 days. EU customer data optionally pinned to Frankfurt.

SOC 2 Type II

In progress

Audit engagement started Q2 2026. Trust report available under NDA.

ISO 27001

Planned

Gap assessment scheduled for Q4 2026. Internal controls already aligned to Annex A.

PCI DSS

Out of scope

Scraplytics does not store cardholder data. All card payments are tokenised via Razorpay / Stripe and never touch our servers.

Our security program

Secure software development lifecycle

  • Code review required on every change - no direct pushes to main
  • Dependabot + npm audit run on every commit
  • Snyk scans block any PR that introduces a high-severity vulnerability
  • OWASP Top 10 covered in our pre-deploy checklist

Vulnerability disclosure

  • Report anything that looks off to security@scraplytics.com
  • PGP key on the trust center page
  • Acknowledgement within 48 hours, status update within 7 days
  • Hall of fame for responsible disclosure (no bounty as of 2026; under review)

Backup + disaster recovery

  • Encrypted Postgres backups every 6 hours, retained 30 days, offsite to a different DigitalOcean region
  • Restoration drill executed quarterly to a clean staging environment
  • RPO 6 hours, RTO 4 hours for the cloud-tenant database
  • PITR window is 7 days on the database tier

Frequently asked questions

Can we get a copy of your security review / penetration test report?+

Yes. Sign our standard mutual NDA at security@scraplytics.com and we will share the latest external pen-test report (run annually) and our internal compliance matrix.

Where is our data physically stored?+

Customer data lives in the DigitalOcean region closest to the buyer organisation by default - BLR (Bangalore) for India, FRA (Frankfurt) for EU, NYC for North America. Cross-region replication for backups uses the same continent. Enterprise plans can pin to a specific region with a contractual amendment.

How do you isolate tenants?+

Every API route resolves a tenant_id from the JWT and adds it to every database query as a WHERE clause. We do not use schemas per tenant - we rely on row-level enforcement plus integration tests on every release that try to read across tenant boundaries and assert that they fail. Cross-tenant queries are also blocked by Postgres RLS policies as a second layer.

What happens if we want to leave?+

A "Download my data" button in the Owner-only Admin tab exports the full database for your tenant as CSV / JSON within 60 seconds. We retain it on our side for 30 days post-cancellation so you can change your mind, then it is hard-deleted from production and the next backup cycle.

Do you ever access customer data?+

Only with explicit per-incident written consent (typically a support ticket where the customer asks us to debug something they cannot reproduce). Every such access is logged with the engineer name, customer ticket id, and timestamp. The audit trail is shown to the customer in their admin console.

Need our Trust Report?

Email security@scraplytics.com with your NDA and we will turn it around within 2 business days.

Contact security@scraplytics.com