Scarf is deeply committed to protecting the confidentiality, integrity and availability of our systems and our customers' data. We are constantly monitoring our security controls to analyze their effectiveness and appropriateness to give you confidence in our systems. Our security program is regularly reviewed and we have completed SOC2 Type 1 and SOC2 Type 2 examinations.

Below is a summary of the security controls in place to protect your data.

You may obtain detailed information about our security and compliance programs as well as a copy of our SOC 2 Type 2 report from your customer success contact.

You can reach our security team directly at security@scarf.sh

Cloud Security

Data Center Physical Security Facilities
Scarf relies on infrastructure from Amazon AWS for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 2 certified.

Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. Learn more about Data Center Controls at AWS. https://aws.amazon.com/compliance/data-center/controls/

On-Site Security

‍AWS implements layered physical security controls to ensure on-site security including, vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about AWS Physical Security.
https://aws.amazon.com/compliance/data-center/perimeter-layer/

‍Network Security

‍In-house Security Team
Scarf has a dedicated and passionate technical team across the globe to respond to security alerts and events.

‍Third-Party Penetration Tests

‍Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.

‍Threat Detection

‍Scarf deploys threat detection services within AWS to continuously monitor for malicious and unauthorized activity.

‍Vulnerability Scanning

‍We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.

‍Access Control

‍Access is limited to a least privilege model required for our staff to carry out their jobs. This is subject to regular internal audit and technical enforcement and monitoring to ensure compliance. MFA is required for all production systems.

‍Encryption

‍In Transit
Communication with Scarf is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of Cipher adoption and TLS configuration.

‍At Rest

‍Scarf data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.

‍Availability & Continuity

‍Uptime
Scarf is deployed on public cloud infrastructure. Services are deployed to multiple regions and availability zones for availability and are configured to scale dynamically in response to measured and expected load.

Scarf maintains a publicly available status page which includes details on system availability, scheduled maintenance windows and service incident history details.

‍Disaster Recovery

‍The Scarf gateway is deployed in multiple global regions. In the event of a major region outage, Scarf has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation.

DR deployment is managed by the same configuration management and release processes as our production environment ensuring that all security configurations and controls are applied appropriately.

‍Application Security

‍Environment Segregation
Testing, staging and production environments are logically separated from one another. No customer data is used in any development or test environment.

‍Personal Security

‍Security Awareness
Scarf delivers employees a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees.

‍Information Security Program

‍Scarf has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use, Information Security Policy and our Employee Handbook.

‍Employee Background Checks

‍All Scarf employees undergo a background check prior to employment which covers 5 years criminal history where legal and 5 years employment verification.

‍Confidentiality Agreements

‍All employees and contractors are required to sign Non-Disclosure and Confidentiality agreements.

‍Access Controls

‍Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is performed on a quarterly basis to determine that access is commensurate with the users job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.

‍Data Privacy

‍GDPR

‍Scarf maintains compliance with the European Union’s General Data Protection Regulation (GDPR).

PCI-DSS

‍As a card not present merchant, Scarf outsources our cardholder functions to a PCI-DSS Level 1 service provider. A copy of our SAQ-A can be available on request.

Privacy Policy

‍Scarf’s privacy policy, which describes how we handle data collected by Scarf, can be found at https://about.scarf.sh/privacy-policy . For privacy questions or concerns, please contact help@scarf.sh.

‍Third Party Security

‍Vendor Management

‍Scarf understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.

‍Third-Party Sub Processors

‍Scarf uses third-party sub processors to provide core infrastructure and services which support our applications. Prior to engaging any third party, Scarf evaluates a vendor’s security as per our Vendor Management Policy.

‍Responsible Disclosure

‍We consider the security of our system a top priority and believe that working with skilled researchers from the security community helps improve our security posture.
Below are the list of vulnerabilities that qualify to receive hall of fame

‍Server-side Remote Code Execution (RCE)

‍SQL Injection
Authentication Bypass
Private data access
Access Control vulnerabilities
Server-Side Misconfiguration
Stored Cross Site Scripting
Server-side applications using default credential
Disclosure Policy:

If you believe you have discovered a potential vulnerability, please let us know by emailing at: security@scarf.sh.
We will acknowledge your email within 5 days.
We accept solo submissions only
All the testing should be done within your own account only
Currently we do not allow disclosure of the vulnerability
Only use the accounts you own or for which you have explicit permissions from the account holder.

Provide us a reasonable amount of time to resolve the issue before disclosing it to the public or third party and provide sufficient information to reproduce the vulnerability.
We recommend you include the following information when you report a security bug
Finding Name
Domain
Severity
URL
Proof-of-Concept to reproduce the finding
Evidence such as screenshot/video
Exclusions and are things we do not want to see:
While researching, we would like you to refrain from

‍Denial of Service (DOS) and Distributed Denial of Service (DDOS)

‍Spamming
Clickjacking
Email bombing/Flooding/rate limiting
Social Engineering or phishing of Scarf employees or contractors
Vulnerabilities in Third party SaaS applications and integrations we use
Username/E-mail enumeration
Missing HTTP security headers or issues related to HTTP headers
Missing DMARC, SPF, DANE and CAA records records
OAuth Misconfiguration
Logout Cross-Site Request Forgery
EXIF and Geolocation related vulnerabilities

Scarf does not offer cash rewards for reporting vulnerabilities through our Responsible Disclosure Policy. We do appreciate and thank researchers by listing their names in our security Hall of Fame.

Thank you for helping to keep Scarf and our users safe!