Security Whitepaper

Security at Scape

Scape is built to a security standard that goes beyond typical industry practice. Most services encrypt data at rest and in transit. We additionally encrypt per user, keep data encrypted even inside our own infrastructure, and decrypt only the specific data needed for a given operation, for the duration of that operation, and nothing more.

Encryption architecture

All data is encrypted in transit (TLS) and at rest (AES-256), with encryption applied per user. Decryption keys are held in Google Cloud Key Management Service (KMS) and are never stored alongside the data.

When Scape processes your content, such as generating a summary, drafting a reply, or indexing a meeting, only the data required for that specific request is decrypted. It is re-encrypted the moment processing completes. Your data spends its life encrypted; decryption is the exception, scoped and temporary.

Privileged access to key management is restricted to a break-glass account protected by multi-factor authentication and split credentials. No single individual, including our founders, can access it alone.

EU data residency

Customer Data never leaves the EU. Scape is operated from Stockholm, Sweden, and all processing of your content (hosting, database, AI inference, transcription, and compute) happens within the EU.

Zero data retention for AI

All AI processing of your content runs under contractual zero-data-retention agreements. Our AI Sub-processors process your data solely to produce your result, return it, and store nothing. They are contractually prohibited from using your data to train their models. We don't train on your data either: Customer Data, Analytics Data, and De-Identified Data derived from them are never used for model training, and never sold.

Every processing environment, held to the same standard

Every Sub-processor is bound by a signed DPA and vetted through our vendor due-diligence process.

ProviderRoleSecurity measures
Google Cloud PlatformHosting, key management, LLM inferencePrimary data store and KMS. All LLM inference runs through Google Vertex AI under contractual zero data retention and EU hosting. Your content is never stored or used for training by the model provider.
ElevenLabsMeeting transcriptionEU hosting and zero data retention under DPA. We never capture video. Audio is deleted after transcription on both our systems and ElevenLabs', leaving only the transcript, stored encrypted in Google Cloud.
PlanetScaleDatabase (EU-hosted)Holds only structured metadata: threads, recipients, labels, calendar records. Actual content such as attachments and transcripts stays in Google Cloud; PlanetScale stores only references. Encrypted at all times except during processing, with decryption gated through Google KMS.
TurboPufferVector databaseEmbeddings encrypted at all times except during processing, with decryption gated through Google KMS.
ModalCompute (EU-hosted)Code that touches email content runs in isolated, ephemeral containers destroyed after each use. No persistent storage, and network egress is restricted to the Scape API only. Data physically cannot leave the environment.

The current Sub-processor list is maintained in the Scape Trust Center.

Meeting data

During meetings we capture microphone and system audio only, never video or screen contents. Audio recordings are deleted immediately after transcription, on our systems and our transcription provider's. Only the transcript and summary remain, stored encrypted as part of your Customer Data until you delete your account.

You stay in control

Scape never sends emails or takes outbound actions on your behalf automatically. AI-generated drafts and outputs are presented for your review, and nothing is sent unless you explicitly choose to send it.

Access control and tenant isolation

Administrative access to our cloud environment requires multi-factor authentication and is managed through cloud identity and access management. Every workspace is isolated at the application data layer, so one customer's data can never be returned in another customer's context.

Organizational security

All personnel undergo background checks, sign confidentiality agreements, and complete security training. We run centralized logging, monitoring, and incident-response procedures, and perform regular security reviews and vendor due diligence.

Certifications and audits

Scape is certified to SOC 2 Type II and ISO 27001, and our processing of Personal Data complies with the GDPR. We undergo independent third-party audits annually. Current certifications and audit reports are available in the Scape Trust Center.

Incident response and breach notification

We maintain a tested incident-response process. If a Personal Data Breach affects your data, we will notify you without undue delay, and in any case within 72 hours of confirmation, to the extent feasible.

Data deletion

When you delete your account, all associated Personal Data, Customer Data, Analytics Data, and derived data such as embeddings are deleted from our systems within 30 days, except where retention is required by law. Copies may persist temporarily in encrypted backups until overwritten on our standard backup schedule.

Report a vulnerability

Found a security issue? Contact us at security@scape.app. We take every report seriously and respond promptly.

Reworks AI Labs AB · Luntmakargatan 26, 111 37 Stockholm, Sweden