Trust Center
Trust, verified.
ScopeMantle asks customers to put third parties on a governed footing. We hold ourselves to the same bar, publicly, continuously, auditably.
COMMITMENTS
Six promises we hold ourselves to.
We don't sell customer data. Ever.
Customer data is processed solely to provide the service contracted. It is never sold, brokered, monetized for advertising, or used to train models for any other customer.
Read-only by default.
Every connector ships with read-only OAuth scopes. Write actions, revokes, ticket creation, require an explicit per-tenant toggle in your workspace settings.
We publish our sub-processors list.
The full sub-processors list is public, dated, and versioned. We notify customers in advance of any addition or material change.
Data residency is your choice.
Pick US (us-east-1) or EU (eu-central-1) at provisioning. APAC residency is on the roadmap. Customer data does not cross the region boundary you choose, in transit or at rest.
Our DPA is plain-language and pre-countersigned.
Standard MSA, DPA, and Order Form are pre-signed by our counsel. SCCs are attached for EU transfers. Most customers close legal in under 14 days.
Responsible disclosure, real payouts.
We run a public disclosure program with safe-harbor language and bounty tiers from $100 (Low) to $15,000 (Critical). We acknowledge within one business day.
CURRENT POSTURE
Where we stand today.
DOCUMENTS
Everything your security team usually has to ask for.
Data Processing Addendum (DPA)
Pre-countersigned template · PDF · 18 pages
DownloadSub-processors list
Versioned · current as of 2026-04-09
DownloadPrivacy Policy
GDPR + CCPA aligned · last updated 2026-03-22
Download- NDA
Penetration test summary
Q1 2026 · executive summary · full report under NDA
Request access - NDA
SOC 2 Type II bridge letter
Audit window in progress · Q3 2026 target
Request access Security whitepaper
Architecture, controls, and threat model · 24 pages
DownloadIncident response policy (summary)
Detect · Contain · Notify · Remediate · Post-mortem
Download
CONTACTS
How to reach us.
Security incidents
security@scopemantle.comPGP keyPGP encouraged for sensitive reports. Acknowledged within 1 business day.
Privacy requests
Data subject rights, RoPA questions, processor inquiries.
DPA countersignatures
Most countersignatures returned within 2 business days.
General trust inquiries
Anything else, questionnaires, vendor reviews, customer references.
INCIDENT RESPONSE
How we handle a security incident.
Customers notified within 72 hours of confirmed incident per contract; for EU customers, within GDPR Article 33 windows.
- 01
Detect
24/7 alerting on the ScopeMantle security pipeline, anomalous auth, OAuth grant spikes, failed connector sweeps, and external signals (status providers, threat intel feeds).
- 02
Contain
On-call SecOps isolates affected components, rotates compromised credentials, and pauses connectors as needed. Customer impact is scoped before notification to avoid speculative disclosures.
- 03
Notify
Customers notified within 72 hours of confirmed incident per contract; for EU customers, within GDPR Article 33 windows. Notice includes scope, timeline, and the customer-side actions we recommend.
- 04
Remediate
Fix deployed and verified. Where customer action is required (token rotation, log review), ScopeMantle provides step-by-step guidance and validates completion via the audit log.
- 05
Post-mortem
Blameless post-mortem published to affected customers within 14 days. Material changes appear on the public security changelog at /security#changelog.
Have specific diligence questions?
Our security team is happy to answer on a call, questionnaires, architecture walkthroughs, or controls deep-dives.