Security at Scape
Scape is built to a security standard that goes beyond typical industry practice. Most services encrypt data at rest and in transit. We additionally encrypt per user, keep data encrypted even inside our own infrastructure, and decrypt only the specific data needed for a given operation, for the duration of that operation, and nothing more.
Encryption architecture
All data is encrypted in transit (TLS) and at rest (AES-256), with encryption applied per user. Decryption keys are held in Google Cloud Key Management Service (KMS) and are never stored alongside the data.
When Scape processes your content, such as generating a summary, drafting a reply, or indexing a meeting, only the data required for that specific request is decrypted. It is re-encrypted the moment processing completes. Your data spends its life encrypted; decryption is the exception, scoped and temporary.
Privileged access to key management is restricted to a break-glass account protected by multi-factor authentication and split credentials. No single individual, including our founders, can access it alone.
EU data residency
Customer Data never leaves the EU. Scape is operated from Stockholm, Sweden, and all processing of your content (hosting, database, AI inference, transcription, and compute) happens within the EU.
Zero data retention for AI
All AI processing of your content runs under contractual zero-data-retention agreements. Our AI Sub-processors process your data solely to produce your result, return it, and store nothing. They are contractually prohibited from using your data to train their models. We don't train on your data either: Customer Data, Analytics Data, and De-Identified Data derived from them are never used for model training, and never sold.
Every processing environment, held to the same standard
Every Sub-processor is bound by a signed DPA and vetted through our vendor due-diligence process.
| Provider | Role | Security measures |
|---|---|---|
| Google Cloud Platform | Hosting, key management, LLM inference | Primary data store and KMS. All LLM inference runs through Google Vertex AI under contractual zero data retention and EU hosting. Your content is never stored or used for training by the model provider. |
| ElevenLabs | Meeting transcription | EU hosting and zero data retention under DPA. We never capture video. Audio is deleted after transcription on both our systems and ElevenLabs', leaving only the transcript, stored encrypted in Google Cloud. |
| PlanetScale | Database (EU-hosted) | Holds only structured metadata: threads, recipients, labels, calendar records. Actual content such as attachments and transcripts stays in Google Cloud; PlanetScale stores only references. Encrypted at all times except during processing, with decryption gated through Google KMS. |
| TurboPuffer | Vector database | Embeddings encrypted at all times except during processing, with decryption gated through Google KMS. |
| Modal | Compute (EU-hosted) | Code that touches email content runs in isolated, ephemeral containers destroyed after each use. No persistent storage, and network egress is restricted to the Scape API only. Data physically cannot leave the environment. |
The current Sub-processor list is maintained in the Scape Trust Center.
Meeting data
During meetings we capture microphone and system audio only, never video or screen contents. Audio recordings are deleted immediately after transcription, on our systems and our transcription provider's. Only the transcript and summary remain, stored encrypted as part of your Customer Data until you delete your account.
You stay in control
Scape never sends emails or takes outbound actions on your behalf automatically. AI-generated drafts and outputs are presented for your review, and nothing is sent unless you explicitly choose to send it.
Access control and tenant isolation
Administrative access to our cloud environment requires multi-factor authentication and is managed through cloud identity and access management. Every workspace is isolated at the application data layer, so one customer's data can never be returned in another customer's context.
Organizational security
All personnel undergo background checks, sign confidentiality agreements, and complete security training. We run centralized logging, monitoring, and incident-response procedures, and perform regular security reviews and vendor due diligence.
Certifications and audits
Scape is certified to SOC 2 Type II and ISO 27001, and our processing of Personal Data complies with the GDPR. We undergo independent third-party audits annually. Current certifications and audit reports are available in the Scape Trust Center.
Incident response and breach notification
We maintain a tested incident-response process. If a Personal Data Breach affects your data, we will notify you without undue delay, and in any case within 72 hours of confirmation, to the extent feasible.
Data deletion
When you delete your account, all associated Personal Data, Customer Data, Analytics Data, and derived data such as embeddings are deleted from our systems within 30 days, except where retention is required by law. Copies may persist temporarily in encrypted backups until overwritten on our standard backup schedule.
Report a vulnerability
Found a security issue? Contact us at security@scape.app. We take every report seriously and respond promptly.