Scoro Security Overview

Scoro is available to its clients as a Software-as-a-Service or SaaS solution. Meaning that an instance of the software (site) is created for each client, and they can access it wherever they are, as long as they have internet access. The platform and its data are accessible through many mediums: web, mobile app, and API.

The software contains many features in itself, but it also acts as a hub integrating external services such as Xero, QuickBooks, and other financial systems, email, reporting suites, and thousands of other applications available through Zapier. The client controls which other services they connect to.

Having this much data and different access points to it is a lot of responsibility. Scoro is adamant about data security, and we put a lot of effort into ensuring our clients’ data is protected from unwanted parties. Security is controlled on many levels. Within each site, there are possibilities to grant access rights to different user groups. Permissions for integrating external products or exposing data over the API can be set for each service and are managed by the site’s admin. The software is pen tested annually based on OWASP Application Security Verification Standard. In the case of major feature releases, additional penetration tests are carried out.

Scoro software is hosted at various AWS data centers. In addition to improving the speed of delivery, it allows our clients to resolve government and other regulations they may need to uphold. The security and availability of each data center are managed by proficient providers and are often verified by us and external partners.

Scoro understands the risks related to data security and works proactively to manage and resolve them. What follows is a detailed overview of how Scoro handles, stores, and secures the data across all data centers.

 

Upgrades and Maintenance

Scoro has regular maintenance windows for updates and backups. Backups are made nightly and do not affect user experience. During updates, Scoro services are not available for users. This usually takes 30 seconds, but on rare occasions and for larger sites it may take a bit longer.

Scoro has a regular update and improvement cycle. In 2021, there were 11 major releases or versions. Minor upgrades are released only for security or user experience improvement purposes and are done without interfering with site availability. 

All the upgrades are mandatory, i.e. Scoro clients cannot opt out of service pack upgrades. However, it is possible to postpone major version updates at specific requests to a suitable time within designated limits.

Scoro ensures that upgrades will not break external client integrations by versioning the API to assist clients in making sure the API stays backward compatible with Scoro API documentation for integrations set up by clients.

Logging and System Management

Every action made by users and administrators is logged and visible under Activity Log (as defined in the platform). The general types of events that are logged are user-based activities (adding, modifying, exporting, deleting, logging in and out, importing, modifying statuses) in all modules of the platform.

All logged events can be sent to the dashboard or to connected systems via webhooks. Site administrators can create custom system management dashboards or populate existing dashboards with metrics from the Scoro API.

Scoro does not limit the size of the logs. The logs are removed from the system after three years.

Hosting Infrastructure, Backup and Disaster Recovery

Scoro uses Amazon Web Services to host its infrastructure.

Each client can specify the region where their data is being hosted. By default, the closest to the registration country is chosen. Currently, available locations are Canada (Toronto), Germany (Frankfurt), Sweden (Stockholm), Australia (Sydney). 

The documented plans for recovering Scoro’s operations and network connectivity in the event of a local or regional disaster are storing backups in multiple locations. The data recovery plans are updated and tested annually.

The Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for Scoro clients’ hosted instances are up to 12 hours for the whole site accordingly. This means that within 12 hours all sites should be reverted to a working mode.

Scoro client sites’ databases and files are backed up daily.

Integration, Data Import, Export, and Location

Scoro exposes web services over an API – an interface for accessing clients’ Scoro account data using HTTPS and JSON. You can find the API description here. The API makes it easy to create web and desktop applications that integrate with clients’ data in Scoro.

Scoro API allows reading and writing structured information to and from the client’s Scoro account. We recommend using the API for inbound data from external services and/or third-party providers.

Available object types that are accessible via the API are listed in the general Scoro API description.

Scoro supports File Transfer Protocol (FTP/SFTP), Dropbox, and Google Drive for external file storage.

Scoro clients can export data from Scoro to their own solutions by extracting export files in CSV and XLS formats. The same file formats are also supported for data import to Scoro.

Performance and Benchmarking

Scoro’s system runs on a high-availability and scalable setup. This means that based on the site’s load more worker instances are created to facilitate the load. Additionally, the workers are distributed across multiple nodes in different availability zones that guarantee uptime even in case of a technical issue with one node or entire availability zone.

Scoro is continuously working on making the product faster. This includes improving the code base, underlying infrastructure, and also testing new solutions.

Architecture and Supported Platforms

Scoro can be used with any modern web browser.

The system works on all desktop/laptop operating systems (Windows, Macintosh, etc.).

Scoro supports the main modern smartphone and tablet operating systems (iOS, Android, etc.), limited to a browser.

Security

Scoro ranks the sensitivity of data storage and transportation. We employ special measures when handling more sensitive data.

Scoro has internal processes and policies in place covering software development, employee access management, infrastructure management, etc. Scoro Software OÜ is ISO 27001 certified. We continue improving our security policies and procedures, for that, we have implemented an Information Security Working group, that is responsible for the continuous improvement of policies, processes, and security practices.

Clients can enable 2-step verification on their site for extra security. 

Scoro supports Single Sign-On (SSO). This allows companies to implement their own authentication service and make it simpler for their users to log in while guaranteeing security.

For client-side implementations of Scoro (including the browser version, offline access version (the app), tablet and smartphone versions), some of the data is cached client-side. The data is deleted at the client’s session termination.

Scoro uses HTTPS encryption protocol for every transaction. All passwords are hashed with an aes-256-cbc cypher using salt.

The threat of information being mistakenly disclosed to unauthorized people is addressed by awareness and training, removal of unnecessary data (electronic and paper), use of screen savers and lockouts, verification of the identity of individuals requesting access, and other relevant safeguards that enforce the principle of “need to know.”

The threat of information knowingly being misused by Scoro’s workforce and contractors are addressed by policy and practice, background checks, role-based access to information, oversight of data authorization by a supervisor, terminating access to data for terminated employees and employees changing job functions, prohibition on sharing passwords, and other relevant safeguards.

The threat of physical theft or loss of data is being addressed by policies on the storage of confidential data on laptops, USB drives, and other portable devices, encryption of data on portable devices, removal of unnecessary information, physical protection of desktops and servers, and other relevant safeguards.

The controls in use to address community concerns regarding privacy practices are covered in Terms of Use

For credit-card-based and other e-commerce transactions executed through Scoro, the transaction security is being assured by Scoro’s trusted partner Adyen. Scoro does not store any information regarding the client’s credit cards except the expiration date and last four digits of the credit card to show the client what card is being used.

Scoro supports Secure Sockets Layer with 128-bit or stronger encryption for connecting to the application.

Scoro hosting environments provide redundancy and load balancing for firewalls, intrusion prevention, and other critical security elements.

All Scoro clients have separate databases and application directories. For larger clients also a dedicated database instance.

There are internal background checks on personnel with administrative access to servers, applications, and client data. Three members of Scoro are dedicated to application and infrastructure security.

Scoro’s help desk is managed via email, no external access is given to the client.

Conclusion

Thank you for expressing your interest in Scoro’s security practices. 

Scoro is continuously improving its security measures, policies, processes, practices, technologies, and therefore the information found in this document is subject to change. 

In case any questions or specific topics not addressed in this document arise, feel free to contact our Customer Support

In case of a found vulnerability, we kindly ask you to contact our security team.