Enterprise-grade security, aligned to ISO 27001
ScopeShift is designed from the ground up with security at every layer. From encryption and access controls to audit trails and compliance documentation, your project data is protected by industry-leading security measures.
ISO 27001 Aligned Security
Our information security management system implements controls across all 14 domains of the ISO 27001 Annex A framework. From access control and cryptography to operations security and compliance, every aspect of the platform has been designed with international security standards in mind.
We maintain comprehensive security documentation including an Information Security Policy, Incident Response Plan, Business Continuity Plan, Data Protection Impact Assessment, Data Asset Inventory, Supplier Security Register, Secure Development Policy, and Access Control Policy.
ISO 27001 Aligned
Our information security management system (ISMS) is aligned to ISO 27001, covering all Annex A controls across people, processes, and technology.
GDPR Article 17 & 20
Right to erasure and data portability are implemented as automated platform features, not manual processes. Consent records are maintained for full accountability.
Documented Policies
Comprehensive security documentation including Information Security Policy, Incident Response Plan, Business Continuity Plan, and Data Protection Impact Assessment.
Security at Every Layer
Comprehensive protection across infrastructure, application, and data layers ensures your information is always secure.
End-to-End Encryption
AES-256-GCM encryption protects all data at rest. TLS 1.3 secures every connection in transit. Your project data is never exposed.
GDPR Compliant
Full consent management, right to erasure, and data portability built into the platform. Your data rights are always respected.
Multi-Factor Authentication
TOTP-based authentication, session idle timeout, and automatic lockout protect every account from unauthorised access.
Complete Audit Trail
Every action is tracked and logged with full accountability. Immutable audit logs support compliance and dispute resolution.
Automated Backups
Daily automated backups with 30-day retention and tested recovery procedures ensure your data is never lost.
Role-Based Access Control
Seven permission levels from Director to Operative with multi-tenant isolation between organisations.
Secure Infrastructure
Hosted on enterprise-grade cloud infrastructure with DDoS protection, WAF, and network-level security controls.
Secure Authentication
HttpOnly cookies, password policy enforcement, password history checks, and brute-force protection on all login endpoints.
Session Management
Configurable idle timeouts, automatic session expiry, and secure token refresh ensure sessions are always protected.
Security Across Every Platform
Whether your team uses the web app, mobile app, or client portal, the same enterprise-grade protections apply.
Web Application
- HttpOnly cookie-based authentication
- Hardened Content Security Policy
- Server-side route protection via middleware
- Configurable session idle timeout with warnings
- Cookie consent management with granular controls
- CSRF protection on all state-changing requests
Mobile Application
- Screenshot and screen recording protection
- Jailbreak and root detection
- Certificate pinning and endpoint validation
- Application-level data encryption
- Biometric re-authentication on idle timeout
- ProGuard code obfuscation (Android)
Backend & API
- Password history enforcement (last 5)
- Bcrypt hashing with configurable salt rounds
- Rate limiting and brute-force protection
- Multi-tenant data isolation
- Immutable audit logs for all actions
- GDPR data erasure and export endpoints
Your data security is our priority
Have questions about our security practices? Our team is ready to discuss how ScopeShift protects your project data.