Security Overview
Last updated: June 29, 2026
Effective date: June 27, 2026 · Version 1.0
How ScaleIQ protects your data and operates the Service on Microsoft Azure.
This page summarizes how ScaleIQ protects your data and operates the Service. For detail under NDA, request our security package at trust@scale-iq.ai.
Assurance & certifications
- SOC 2 Type II — examination in progress ScaleIQ is in the process of becoming SOC 2 compliant: an independent, AICPA-accredited CPA firm is examining our controls against the Trust Services Criteria for Security, Availability, and Confidentiality. Target report: Q4 2026. Readiness documentation is available under NDA.
- ISO 27001 — certification targeted for Q4 2026.
- Independent penetration test — scoping underway; summary available under NDA once complete.
Built on Microsoft Azure
Hosting
The Service runs on Microsoft Azure — Azure App Service and Azure SQL (East US 2), with Azure Static Web Apps for the dashboard. EU customers can opt into a designated Azure region on enterprise plans. Physical and platform security is inherited from Microsoft’s certified data centers.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256) using Azure Key Vault. Customer-managed keys are available on enterprise plans.
Tenant isolation
Customer Data is logically separated per tenant, and access is scoped at the application and database layers. AI inference is request-scoped and not pooled across customers. Independent validation of our isolation controls forms part of our in-progress SOC 2 examination and penetration test.
Identity & access
- Microsoft Entra ID — SSO via SAML 2.0 / OIDC; all identity runs through your existing Entra ID.
- MFA required for all ScaleIQ personnel.
- Least privilege — production access is just-in-time, logged, and reviewed quarterly. AssessIQ requests only read-only Microsoft Graph scopes needed for assessment.
- Audit logs — exportable; 13 months retained by default, longer on enterprise plans.
Application security
- Secure SDLC with mandatory peer review and CI gates.
- Static analysis and dependency scanning on every build.
- Independent penetration testing (scoping underway).
- Centralized logging and monitoring via Azure Monitor / Application Insights and Microsoft Defender for Cloud.
Resilience
- Daily encrypted backups; 35-day rolling retention.
- Tested restoration.
- RTO 4 hours · RPO 1 hour.
- Status page: status.scale-iq.ai.
Shared responsibility
ScaleIQ secures the Service; customers are responsible for provisioning their users via Entra ID, enforcing MFA, configuring roles, reviewing audit logs, and maintaining valid tenant-administrator consent.
Responsible disclosure
Report security issues to security@scale-iq.ai (PGP key available on request). We acknowledge within 2 business days and work in good faith with researchers who avoid privacy violations and service disruption, test only their own data, and give us reasonable time to remediate before public disclosure.
Contact
Security: security@scale-iq.ai · Trust & compliance: trust@scale-iq.ai