Security & Trust
Built for sensitive data.ISO 27001 in progress. Confidential by design.
Scaleflow handles source code, architecture docs, and dataroom content on every engagement. Security and confidentiality are not afterthoughts — they are structural requirements of how we operate.
Certifications
Independently verified.
ISO 27001
We are currently in the process of obtaining ISO/IEC 27001 certification — the international standard for information security management systems. Our practices are built to meet this standard across all processes, systems, and engagements.
SOC 2 Type II
SOC 2 Type II certification is underway. Our controls for security, availability, and confidentiality are being independently audited. We will share the report with clients on request once complete.
GDPR
All data processing is GDPR-compliant. Data Processing Agreements (DPAs) are available on request. We never process personal data beyond what is strictly necessary for the engagement.
How we work
Confidential by design.
Confidential by design
Every engagement is covered by a mutual NDA before any access is granted. Your product and technology reality stays strictly between Scaleflow and your organisation — it is never shared with third parties, used in benchmarks, or referenced in marketing without explicit consent.
No data retained
Source code and dataroom content is analysed in-context during the engagement. Nothing is stored on Scaleflow infrastructure after the engagement ends. All temporary artefacts are deleted on completion.
Secure dataroom integration
Our dataroom integrations (GitHub, GitLab, Bitbucket, Notion, Confluence) operate on a principle of least privilege. Access is scoped to exactly what the engagement requires — and is revocable at any time by the client, with full audit trail.
Common questions
Security FAQs.
Who has access to our code?
Only Scaleflow operators assigned to your engagement. Access is logged, scoped to the relevant repositories, and revoked immediately on engagement completion.
Is our data stored after the engagement?
No. Source code, dataroom content, and any derived artefacts are deleted after the engagement closes. We do not retain your data for model training, benchmarking, or any other purpose.
Do you use AI to process our code?
Yes — AI runs analysis in-context during the engagement. We use enterprise-grade AI infrastructure with data isolation. Your code is never used to train models.
Can we sign a DPA?
Yes. Our Data Processing Agreement is available in the footer under Legal.
What if we can only share a subset of repositories?
We work with whatever access you are comfortable granting. Scoped access is the norm — we scope our analysis to what you share and note any coverage gaps in the report.
Can you work from a read-only dataroom?
Yes. We can ingest read-only datarooms (Notion, Confluence, shared drives, pitch decks). No write access is ever requested or required.
Questions about security?
We are happy to walk through our security posture, share audit reports, or sign a DPA before any engagement begins.