Scalr is a remote state & operations backend for Terraform™ with full CLI support, integration with OPA, a hierarchical configuration model, and quality of life features like RBAC, OPA Policies, Private Module Registry and many others.
Scalr uses security tools to scan our internal environment, system and services. We also engage professional security firms to perform third-party penetration tests and audits of our environment on an annual basis, respectively, while internal system scans are performed quarterly. The Scalr service is hosted in multiple data centers to provide redundancy. The data centers are geographically distributed and highly redundant in themselves.
A subset of Scalr’s Personnel has access to customer data as necessary to support the platform and provide the service. Individual access is granted based on individual role and job responsibilities. Access to systems containing customer data is reviewed on a regular basis and is monitored on an ongoing basis.
Our solution is hosted on one or more cloud-based Infrastructure-as-a-Service platforms. These cloud providers are responsible for the security of the underlying cloud infrastructure and Scalr company takes the responsibility of securing workloads we deploy inside the cloud infrastructure. Cloud providers monitor and audit computing environments continuously, with certifications from accreditation bodies across geographies and verticals, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. All data is encrypted in transit and any device storing any data is subjected to data-at-rest encryption. The service makes use of code-level logic and permissions to segregate customer data.
As a user of the Scalr platform, customers should be proactive in recognizing the value and sensitivity of the information provided by the service as well as the need to safeguard such data appropriately. This document details Scalr’s customer responsibilities as they relate to use of the Scalr service. It is the responsibility of Scalr customers to familiarize themselves with the information and procedures set forth below and comply with them.
To safeguard information assets and policy enforcement capabilities available in the Scalr service, the customers’ IT governance processes should include end-user training regarding appropriate use and awareness of the need for securing access to their Scalr account credentials. As with most cloud services, access to Scalr requires a login ID and password or integration with a Single-Sign-On (SSO) provider. When an organization subscribes to the Scalr service, it is the customer’s responsibility to manage which users should be given access to the service. Customers should also define when access should be removed. For example, removing access upon termination of employment or as part of departmental changes that result in change of duties or responsibilities. Only valid account credentials should be used by authorized users to access the Scalr service; users should not share authentication credentials.
The Scalr service should be considered sensitive and confidential by users of the service. Users should follow information security best practices to ensure that access to their account credentials is appropriately limited, and the information and functionality provided by the Scalr service is protected from unauthorized use. Scalr users are responsible for maintaining the security and confidentiality of their user credentials (e.g., Login ID and Password), and are responsible for all activities and uses performed under their account credentials whether authorized by them or not. By establishing user credentials and accessing the platform, users of the Scalr service agree to comply with these requirements to safeguard assets and account information.
The Scalr service can be terminated on the account management page or by contacting Scalr Support.
The Scalr service is accessible via the Internet. As a result, great care must be exercised by Scalr users in protecting their subscription against unauthorized access and use of their credentials. By establishing user credentials and accessing the service, users agree to proactively protect the security and confidentiality of their user credentials and never share account credentials, disclose any passwords or user identifications to any unauthorized persons, or permit any unauthorized person to use or access their Scalr accounts. Any loss of control of passwords or user identifications could result in the loss or disclosure of confidential information and the responsible account owner(s) may be liable for the actions taken under their service account credentials whether they authorized the activity or not. Additionally, when establishing Scalr account credentials, end users are required to establish strong passwords following password strength and complexity best practices; passwords should not be easily guessable.
All Scalr services are monitored 24×7 to meet our service commitments. All planned maintenance will be performed in accordance with Scalr’s maintenance plan, which is communicated to customers when they sign up for the service. If there is a need to perform emergency maintenance for a vulnerability or bug fix, we will notify customers prior to the work being performed. To get updates in real-time, customers can subscribe to email notifications. On the occasion that Scalr customers observe performance issues, problems or service outages, they can contact Scalr Support to report such issues.
By establishing Scalr account credentials or accessing its service, customers agree to notify Scalr immediately of any security incident, including any suspected or confirmed breach of security. Also, users of the service agree to log out or exit the service immediately at the end of each session to provide further protection against unauthorized use and intrusion. Scalr customers should also notify Scalr immediately if they observe any activity or communications in other forums that may indicate that other Scalr customers have had their accounts compromised. Lastly, Scalr encourages users to practice responsible disclosure by notifying Scalr of any potential or confirmed security vulnerabilities. Scalr is dedicated to providing secure services to clients, and will triage all security vulnerabilities that are reported. Furthermore, Scalr will prioritize and fix security vulnerabilities in accordance with the risk that they pose.
Regulatory requirements and industry mandates are continuously increasing in scope & depth and can vary from industry to industry. Scalr users agree to abide by the regulatory requirements, industry mandates, and other compliance requirements imposed on their organizations and understand that use of cloud-based services does not exclude the organizations from responsibilities for restricting access to application information and functionality.
Scalr is dedicated to keeping its cloud platform safe from all types of security issues thereby providing a safe and secure environment to our customers. Data security is a matter of utmost importance and a top priority for us. If you believe you have discovered a security flaw in the Scalr service or its underlying infrastructure, we appreciate your support in disclosing the issue to us in a responsible manner. Our responsible disclosure process is managed by the security team at Scalr. We are always ready to recognize the efforts of security researchers by rewarding them with a token of appreciation, provided the reported security issue is of high severity and not already known to us. When reporting the security vulnerability to our Security team, please refrain from disclosing the vulnerability details to the public outside of this process without explicit permission. Please provide the complete details necessary for reproducing the issue. We determine the risk of each vulnerability by assessing the ease of exploitation and business impact associated with the vulnerability.
As a security researcher, if you identify or discover a security vulnerability in compliance with the responsible disclosure guidelines, Scalr commits to:
Please report security issues to: firstname.lastname@example.org.
You can view our Whistleblower Policy at scalr.com/policies/whistleblower. Issues can be reported via contacts listed in the policy.
Scalr maintains a public bug bounty program. Valid and in-scope reports might be eligible for a payment. By submitting a security bug or vulnerability to Scalr, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Scalr’s prior written approval.
You are about to submit a report to Scalr via email (email@example.com). Detailed and quality reporting is important to Scalr. You must include a working Proof of Concept.
Your participation in our program is voluntary and subject to the below terms and conditions:
Furthermore, Scalr does not consider the following to be eligible vulnerabilities:
Valid reports for assets in the following domains are eligible for reward:
Reports for assets in the following domains are not eligible for reward:
By default, we will retain your data indefinitely. You can ask to close your account by contacting us at Scalr Support and we will delete your information upon valid request. We may, however, retain information, including personal information to the extent applicable, for an additional period as is required under applicable laws, for legal, tax, or regulatory reasons, or for legitimate and lawful business purposes.
While rare, we may occasionally change our service terms. This includes, but is not limited to, our commitments regarding security, confidentiality, performance or availability. In the event that we intend to make such changes, we will notify the business contact for the organization at the email address we have within our customer database at least thirty (30) days prior to such changes taking effect.
For general inquiries, please contact us at Scalr Support.