ScoutAtlas
Legal · plain-English summaries above each section

Scout Atlas legal.

Plain language first, formal language second. We treat legal pages as products — readable, well-versioned, and honest about what we do and don’t do.

Plain summary

We treat security as a product feature. This page lists our sub-processors, our incident response SLAs, and the rules of our vulnerability disclosure program. For the prose-level narrative, see the public security page.

Sub-processors

We notify account admins at least 30 days in advance of any sub-processor change. The live list is mirrored to /security/sub-processors.json.

  • Supabase — Postgres database, authentication, row-level security. EU region for European clubs, US region available on request.
  • Vercel — Application hosting and edge delivery for the marketing site and authenticated app shell.
  • Stripe — Payment processing for self-serve trials. PCI-DSS Level 1.
  • Resend — Transactional email (magic links, account notifications, digest emails).
  • Cloudflare — DNS and DDoS protection.

Incident response

  • Detection. Real-time alerting on authentication anomalies, error rate spikes, and database access patterns. Founder-on-call rotation 24/7.
  • Triage. Severity classified inside 30 minutes (S1/S2/S3) per a public runbook.
  • Disclosure. Affected clubs notified inside 72 hours of confirmed incident affecting their data, with technical detail.
  • Post-mortem. Written post-mortem published to affected clubs inside 14 days, with corrective actions and timelines.

Vulnerability disclosure

We run an open program. Email security@scoutatlas.co with steps to reproduce and (where applicable) a proof-of-concept payload.

  • We acknowledge receipt inside 48 hours.
  • We commit to a remediation timeline inside 7 days, scaled to severity.
  • We credit researchers in the changelog when patches ship — with permission.
  • We commit not to pursue legal action against good-faith researchers who follow the disclosure program rules.

Out of scope

The following are explicitly out of scope for the disclosure program: denial-of-service attacks, social engineering of staff, vulnerabilities in third-party services that are already publicly disclosed, and physical-security testing.

Encryption

  • TLS 1.3 in transit, modern cipher suites only, HSTS preload.
  • AES-256-GCM at rest for sensitive columns.
  • End-to-end encryption for Deal Room messages with per-room keys we cannot read.
  • Per-club key envelopes for opt-in private streams (GPS, biometrics, medical).

Audits

  • SOC 2 Type II readiness audit — Q4 2026.
  • Independent penetration test — annually from year 2 (2027).
  • Quarterly internal review of access permissions and audit logs.

Operated by Oney Finansal Danışmanlık Turizm ve Dış Ticaret Anonim Şirketi (“Oney AŞ”), a joint-stock company organised under the laws of the Republic of Türkiye, with registered office in İstanbul, Türkiye.

Last updated · 5 May 2026 · contact: legal@scoutatlas.co