Last updated: 2026-05-04

Security

ScenarioX is built for organisations that test their cyber resilience for a living. This page describes the technical and organisational measures we use to keep your exercise data safe.

1. Hosting and infrastructure

ScenarioX runs on Scaleway managed infrastructure in the European Union (Paris). The application is deployed on Kubernetes with managed PostgreSQL and Redis, and uses RabbitMQ for asynchronous task processing. Production workloads run in private network segments with strict ingress rules.

2. Encryption

  • In transit: all traffic is served over TLS 1.2 or higher with HSTS enabled.
  • At rest: the managed Postgres database and object storage volumes are encrypted at rest by the hosting provider.
  • Application-level: OAuth tokens for Slack and Microsoft Teams integrations are individually encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before being persisted.
  • Secrets: JWT signing keys, audit-trail HMAC keys and integration encryption keys are rotated and stored in the platform’s secret manager — never in source control.

3. Authentication and access control

  • Passwords are hashed with a modern adaptive hash function (bcrypt-class).
  • TOTP-based two-factor authentication is available for all accounts.
  • API authentication uses short-lived JWT access tokens.
  • Role-based permissions inside each tenant restrict what users can read or modify.
  • SSO/SAML and SCIM provisioning are available on the Enterprise plan.

4. Tenant isolation

ScenarioX is multi-tenant at the application layer. Every tenant-scoped record carries a tenant_id and every database query is required to filter by that column. The base model mixin enforces the column on schema creation; the data-access layer enforces the filter on read and write paths. Cross-tenant access requires an explicit administrative action that is itself audit-logged.

5. Tamper-evident audit trail

Security-relevant events — exercise actions, role changes, integration connections, AI prompt executions — are written to an append-only audit log. Each entry includes an HMAC computed over its content and the hash of the previous entry, forming a hash chain. Any modification of a past entry invalidates every entry that follows, making silent tampering detectable.

6. AI prompt safety

User input that flows into AI prompts (scenario descriptions, persona briefs, chat questions for the virtual facilitator) is run through a prompt-guard layer that strips known prompt-injection patterns and enforces field-level limits. The AI client applies a final guard pass on the assembled message list before sending it upstream. The AI provider is contractually prohibited from training on Customer Data.

7. Secure development

  • All changes go through code review before merge.
  • Continuous integration runs linting, type checking and the test suite on every pull request.
  • Dependencies are pinned and security advisories are monitored.
  • Production deployments are reproducible from container images built in CI.
  • Production database migrations are reviewed and applied through Alembic with rollback paths.

8. Backups and disaster recovery

Production databases are backed up daily with point-in-time recovery covering a rolling 30-day window. Backups are encrypted and stored in the same EU region as the primary database. We test restore procedures periodically and document Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets in our internal runbook.

9. Incident response

We maintain an incident response runbook covering detection, containment, eradication, recovery and post-incident review. In the event of a confirmed personal-data breach we notify affected customers without undue delay and, where required, the relevant supervisory authority within 72 hours, in line with GDPR Art. 33.

10. Vulnerability disclosure

If you believe you have found a security vulnerability in ScenarioX, please report it to info@scenariox.io with a clear description and reproduction steps. We commit to:

  • Acknowledge your report within 3 business days.
  • Provide a triage assessment within 10 business days.
  • Keep you informed about remediation progress.
  • Not pursue legal action against good-faith researchers who follow this disclosure policy and avoid privacy violations, service disruption and data destruction.

Out of scope: social engineering of staff, denial-of-service testing, automated scans against production, and findings against third-party services we do not control.

11. Certifications

Independent compliance certifications (SOC 2 Type II, ISO 27001) are on our roadmap. See the Compliance page for current status and the regulatory frameworks we help our customers prepare for.

12. Contact

Security questions, security questionnaires, DPA requests — write to info@scenariox.io.