|Trust Center

Scribe

While your teams use Scribe to document and share processes, we want you to know your data is 100% protected. Scribe is not just easy and fast — it’s absolutely secure. 

Information security and privacy are built into Scribe’s growth, mission and vision. Alongside vulnerability scanning, penetration testing, access control, encryption and data privacy measures, Scribe successfully went through a SOC 2 Type II audit.

We are tirelessly committed to the protection of your data and your privacy. Scribe’s information security and privacy controls are detailed below.

fa-envelope alpaca-fa-regular
security@scribehow.com
fa-link alpaca-fa-regular
Privacy Policy

Controls

fa-magnifying-glass alpaca-fa-regular
Infrastructure security
ControlStatus
Production database access restricted

The company restricts privileged access to databases to authorized users with a business need.

fa-circle-check alpaca-fa-solid
Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

fa-circle-check alpaca-fa-solid
Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

fa-circle-check alpaca-fa-solid
Organizational security
ControlStatus
Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

fa-circle-check alpaca-fa-solid
Confidentiality Agreement acknowledged by employees

The company requires employees to sign a confidentiality agreement during onboarding.

fa-circle-check alpaca-fa-solid
Performance evaluations conducted

The company managers are required to complete performance evaluations for direct reports at least annually.

fa-circle-check alpaca-fa-solid
MDM system utilized

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

fa-circle-check alpaca-fa-solid
Product security
ControlStatus
Control self-assessments conducted

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

fa-circle-check alpaca-fa-solid
Penetration testing performed

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

fa-circle-check alpaca-fa-solid
Internal security procedures
ControlStatus
Continuity and disaster recovery plans tested

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

fa-circle-check alpaca-fa-solid
Cybersecurity insurance maintained

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

fa-circle-check alpaca-fa-solid
Configuration management system established

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

fa-circle-check alpaca-fa-solid
SOC 2 - System Description

Complete a description of your system for Section III of the audit report

fa-circle-check alpaca-fa-solid
Whistleblower policy established

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

fa-circle-check alpaca-fa-solid
Board oversight briefings conducted

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

fa-circle-check alpaca-fa-solid
Board charter documented

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

fa-circle-check alpaca-fa-solid
Board expertise developed

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

fa-circle-check alpaca-fa-solid
Board meetings conducted

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

fa-circle-check alpaca-fa-solid
System changes externally communicated

The company notifies customers of critical system changes that may affect their processing.

fa-circle-check alpaca-fa-solid
Management roles and responsibilities defined

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

fa-circle-check alpaca-fa-solid
Organization structure documented

The company maintains an organizational chart that describes the organizational structure and reporting lines.

fa-circle-check alpaca-fa-solid
Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

fa-circle-check alpaca-fa-solid
Support system available

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

fa-circle-check alpaca-fa-solid
Access requests required

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

fa-circle-check alpaca-fa-solid
Incident response plan tested

The company tests their incident response plan at least annually.

fa-circle-check alpaca-fa-solid
Company commitments externally communicated

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

fa-circle-check alpaca-fa-solid
External support resources available

The company provides guidelines and technical support resources relating to system operations to customers.

fa-circle-check alpaca-fa-solid
Service description communicated

The company provides a description of its products and services to internal and external users.

fa-circle-check alpaca-fa-solid
Risk assessment objectives specified

The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

fa-circle-check alpaca-fa-solid
Risks assessments performed

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

fa-circle-check alpaca-fa-solid
Data and privacy
ControlStatus
Customer data deleted upon leaving

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

fa-circle-check alpaca-fa-solid

Top