Security Commitments

Last updated: May 24, 2026

Scope: Scalev web platform, Scalev API, and the Scalev MCP connector.

1.Transport Security

All HTTP traffic to Scalev production domains uses HTTPS with TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enabled with max-age=31536000, includeSubDomains, and preload, and Scalev domains are registered on the major browser preload lists.

HostTLSHSTS
scalev.comTLS 1.2+preload
app.scalev.comTLS 1.2+preload
api.scalev.comTLS 1.2+preload
mcp.scalev.comTLS 1.2+preload

Certificate issuance is restricted by DNS Certificate Authority Authorization (CAA) records to only permit approved certificate authorities (e.g., Google Trust Services and Let’s Encrypt). Issuance from any other CA is rejected at the DNS level.

2.Authorization and OAuth

Third-party integrations, including the Scalev MCP connector for AI assistants, use OAuth 2.1 with the following controls:

  • Dynamic Client Registration (RFC 7591) and Client ID Metadata Document (RFC 8414) are supported for securely registering third-party clients.
  • Proof Key for Code Exchange (PKCE) with the S256 method is required on every authorization flow.
  • Refresh token rotation: each refresh-token use issues a new refresh token and invalidates the previous one; reuse of a rotated token is detected and refused.
  • Per-business consent: users choose the business(es) to authorize on the consent screen; tokens are issued bound to the approved scopes and businesses.
  • Per-request scope enforcement: the Scalev API validates the token, scope, and business access on every API call; requests outside the approved scopes are rejected.
  • Revocation: users can revoke third-party access at any time from Scalev settings or via the AI assistant's own connection management UI.

Protected Resource Metadata (RFC 9728) is published at mcp.scalev.com/.well-known/oauth-protected-resource/mcp, and Authorization Server Metadata (RFC 8414) at api.scalev.com/v3/oauth/.well-known/oauth-authorization-server.

3.HTTP Security Headers

All HTTP responses from Scalev domains include the following security headers:

HeaderValue
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preload
X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY (clickjacking protection)

Unauthenticated MCP responses include a WWW-Authenticate header with a link to the protected-resource metadata per the OAuth 2.1 standard.

4.Audit Logging and Telemetry

Scalev logs public API calls for audit, abuse detection, and incident investigation. Logging practices:

  • MCP connector: only operational metadata (request id, tool name, operation id, status, error code, duration). Bearer tokens, request bodies, and response bodies are not logged by the MCP connector.
  • Scalev API: machine-to-machine calls (OAuth and API key) are logged with metadata and sanitized request/response bodies. Bearer tokens, credentials, and sensitive fields are masked before storage.
  • Retention: machine API logs are subject to a two-week retention partition to minimize the historical data surface.
  • Access: logs are available to merchant business owners through the dashboard for independent audit.

5.Rate Limiting and Abuse Protection

The Scalev public API enforces per-credential rate limits to prevent abuse and protect shared resources. Clients exceeding the limit receive 429 Too Many Requests responses with appropriate retry information. Additional Cloudflare WAF and anomaly detection operate at the edge to block malicious traffic before it reaches the application.

6.Data Protection

  • Encryption in transit: TLS 1.2+ on all client-server communication.
  • Encryption at rest: data is encrypted at the storage layer at our infrastructure provider (DigitalOcean) according to the provider's default standards.
  • No direct card storage: Scalev does not directly store full card numbers or CVV; card processing is delegated to licensed payment gateways.
  • Log sanitization: sensitive fields (tokens, credentials, payment payloads) are masked in logs before storage.

7.Subprocessor Security

Scalev engages trusted service providers that process Personal Data on our behalf under contracts requiring a level of protection equivalent to these commitments. The primary subprocessor list is available in the Privacy Policy §4. Material changes to the subprocessor list are announced on the Platform.

8.Vulnerability Disclosure

We welcome responsible security vulnerability reports. The official reporting path is the security.txt file:

Response commitment: we acknowledge security reports within two business days and target resolution of critical vulnerabilities (token, authentication, or data exposure) before public disclosure.

Please do not perform penetration testing against other users' production accounts, access data that does not belong to you, or interfere with Service availability. Limited testing against your own test accounts is welcome.

9.Security Contact

Vulnerability reportssecurity.txt
General inquiriescs@scalev.com
Service statusstatus.scalev.com
Privacy Policyscalev.com/privacy-en
Powered by Scalev