Scoro Security Overview

Scoro is available to its clients as a Software-as-a-Service or SaaS solution. Meaning that an instance of the software (site) is created for each client, and they can access it wherever they are, as long as they have internet access. The platform and its data are accessible through many mediums: web, mobile app, and API.

The software contains many features in itself, but it also acts as a hub integrating external services such as Xero, QuickBooks, and other financial systems, email, reporting suites, and thousands of other applications available through Zapier. The client controls which other services they connect to.

Having this much data and different access points to it is a lot of responsibility. Scoro is adamant about data security, and we put a lot of effort into ensuring our clients’ data is protected from unwanted parties. Security is controlled on many levels. Within each site, there are possibilities to grant access rights to different user groups. Permissions for integrating external products or exposing data over the API can be set for each service and are managed by the site’s admin. The software is pen tested annually based on OWASP Application Security Verification Standard. In the case of major feature releases, additional penetration tests are carried out.

Scoro software is hosted at various AWS data centers. In addition to improving the speed of delivery, it allows our clients to resolve government and other regulations they may need to uphold. The security and availability of each data center are managed by proficient providers and are often verified by us and external partners.

Scoro understands the risks related to data security and works proactively to manage and resolve them. What follows is a detailed overview of how Scoro handles, stores, and secures the data across all data centers.

Upgrades and Maintenance

Scoro has regular maintenance windows for updates and backups. Backups are made nightly and do not affect user experience. During updates, Scoro services are not available for users. This usually takes 30 seconds, but on rare occasions and for larger sites it may take a bit longer.

Scoro has a regular update and improvement cycle. In 2024, there were 13 major releases or versions. Minor upgrades are released only for security or user experience improvement purposes and are done without interfering with site availability. 

All the upgrades are mandatory, i.e. Scoro clients cannot opt out of service pack upgrades. However, it is possible to postpone major version updates at specific requests to a suitable time within designated limits.

Scoro ensures that upgrades will not break external client integrations by versioning the API to assist clients in making sure the API stays backward compatible with Scoro API documentation for integrations set up by clients.

Logging and System Management

Every action made by users and administrators is logged and visible under Activity Log (as defined in the platform). The general types of events that are logged are user-based activities (adding, modifying, exporting, deleting, logging in and out, importing, modifying statuses) in all modules of the platform.

All logged events can be sent to the dashboard or to connected systems via webhooks. Site administrators can create custom system management dashboards or populate existing dashboards with metrics from the Scoro API.

Scoro does not limit the size of the logs. The logs are removed from the system after three years.

Hosting Infrastructure, Backup and Disaster Recovery

Scoro uses Amazon Web Services to host its infrastructure.

Each client can specify the region where their data is being hosted. By default, the closest to the registration country is chosen. 

Hosting locations:

  • Canada (Toronto)
  • Germany (Frankfurt)
  • Sweden (Stockholm)
  • Australia (Sydney)

The documented plans for recovering Scoro’s operations and network connectivity in the event of a local or regional disaster are storing backups in multiple locations. The data recovery plans are updated and tested annually.

The Recovery Time Objective (RTO) is 12 hours, and the Recovery Point Objective (RPO) is 24 hours.

Scoro client sites’ databases and files are backed up daily.

Integration, Data Import, Export, and Location

Scoro exposes web services over an API – an interface for accessing clients’ Scoro account data using HTTPS and JSON. You can find the API description here. The API makes it easy to create web and desktop applications that integrate with clients’ data in Scoro.

Scoro API allows reading and writing structured information to and from the client’s Scoro account. We recommend using the API for inbound data from external services and/or third-party providers.

Available object types that are accessible via the API are listed in the general Scoro API description.

Scoro supports File Transfer Protocol (FTP/SFTP), Dropbox, and Google Drive for external file storage.

Scoro clients can export data from Scoro to their own solutions by extracting export files in CSV and XLS formats. The same file formats are also supported for data import to Scoro.

Performance and Benchmarking

Scoro’s system runs on a high-availability and scalable setup. This means that based on the site’s load more worker instances are created to facilitate the load. Additionally, the workers are distributed across multiple nodes in different availability zones that guarantee uptime even in case of a technical issue with one node or entire availability zone.

Scoro is continuously working on making the product faster. This includes improving the code base, underlying infrastructure, and also testing new solutions.

Architecture and Supported Platforms

Scoro can be used with any modern web browser.

The system works on all desktop/laptop operating systems (Windows, Macintosh, etc.).

Scoro supports the main modern smartphone and tablet operating systems (iOS, Android, etc.), limited to a browser.

Security

Scoro ranks the sensitivity of data storage and transportation. We employ special measures when handling more sensitive data.

Scoro has internal processes and policies in place covering software development, employee access management, infrastructure management, etc. Scoro Software OÜ is ISO 27001 certified. We continue improving our security policies and procedures, for that, we have implemented an Information Security Working group, that is responsible for the continuous improvement of policies, processes, and security practices.

Clients can enable 2-step verification on their site for extra security. 

Scoro supports Single Sign-On (SSO). This allows companies to implement their own authentication service and make it simpler for their users to log in while guaranteeing security.

For client-side implementations of Scoro (including the browser version, offline access version (the app), tablet and smartphone versions), some of the data is cached client-side. The data is deleted at the client’s session termination.

Scoro uses HTTPS encryption protocol for every transaction. All passwords are hashed with an aes-256-cbc cypher using salt.

The threat of information being mistakenly disclosed to unauthorized people is addressed by awareness and training, removal of unnecessary data (electronic and paper), use of screen savers and lockouts, verification of the identity of individuals requesting access, and other relevant safeguards that enforce the principle of “need to know.”

The threat of information knowingly being misused by Scoro’s workforce and contractors are addressed by policy and practice, background checks, role-based access to information, oversight of data authorization by a supervisor, terminating access to data for terminated employees and employees changing job functions, prohibition on sharing passwords, and other relevant safeguards.

The threat of physical theft or loss of data is being addressed by policies on the storage of confidential data on laptops, USB drives, and other portable devices, encryption of data on portable devices, removal of unnecessary information, physical protection of desktops and servers, and other relevant safeguards.

The controls in use to address community concerns regarding privacy practices are covered in Terms of Use

For credit-card-based and other e-commerce transactions executed through Scoro, the transaction security is being assured by Scoro’s trusted partner Stripe. Scoro does not store any information regarding the client’s credit cards except the expiration date and last four digits of the credit card to show the client what card is being used.

Scoro supports Secure Sockets Layer with 128-bit or stronger encryption for connecting to the application.

Scoro hosting environments provide redundancy and load balancing for firewalls, intrusion prevention, and other critical security elements.

All Scoro clients have separate databases and application directories. For larger clients also a dedicated database instance.

There are internal background checks on personnel with administrative access to servers, applications, and client data.

Scoro’s help desk is managed via email, no external access is given to the client.

Vulnerability Disclosure Program

Scoro welcomes reports from security researchers and customers to help us keep our product and customers safe. If you believe you’ve found a security vulnerability, please report it to us and allow us a reasonable amount of time to investigate and remediate.

This is a vulnerability disclosure program, not a bug bounty. We do not guarantee monetary rewards. In some cases, at our sole discretion, we may choose to offer a token of appreciation.

How to report

Email: [email protected] (Scoro)

Please include (as applicable):

  • A clear description of the issue and the potential impact

  • Affected asset / URL / endpoint (and tenant/site if relevant)

  • Steps to reproduce (or a minimal proof-of-concept)

  • Screenshots, logs, request/response samples

  • Your contact details and preferred way to communicate

If you accidentally access data that isn’t yours: stop immediately, do not save or share it, and report what happened.

Scope

In scope

  • Scoro SaaS application (customer sites hosted on Scoro infrastructure under *.scoro.com)

  • Scoro public API (api.scoro.com) (Scoro)

  • Official Scoro mobile applications (iOS/Android)

  • Scoro-owned and operated web properties directly related to authentication/account security (including www.scoro.com)

Out of scope

  • Third-party services and integrations not operated by Scoro (for example help center and status tooling) (support.scoro.com, status.scoro.com)

  • Vulnerabilities that require physical access to a user’s device, social engineering, or insider access

  • Reports with no clear security impact (e.g., best-practice header recommendations without exploitability)

If you’re unsure whether something is in scope, please send an email to [email protected] and we’ll provided clarification.

Rules of engagement

To keep our customers safe, you must:

  • Do not perform DDoS / stress testing, or any activity that degrades availability

  • Do not exfiltrate data (no bulk access, no database dumps, no scraping). Only access the minimum needed to prove the issue.

  • Do not violate privacy: no access to other customers’/users’ data, no credential harvesting, no session hijacking of real users

  • Do not use phishing or social engineering, or attempt to extort Scoro or our customers

  • Do not persist access (no backdoors, no creating admin users, no long-lived tokens)

  • Only use accounts/tenants you own or are explicitly authorized to test. If you create a test tenant, we recommend using the naming convention (vdpaccount-<unique-id>.scoro.com) so it’s easier for us to track and support testing.

We may ask you to stop testing if we believe there is risk to customers or service stability.

What you can expect from us

Acknowledgement & initial outcome: We aim to contact you as soon as possible confirming we’ve received your report and providing our initial determination, such as:

  • we plan to address it based on initial triage,

  • it has been backlogged for future work,

  • it is duplicate of an existing report,

  • it is out of scope or not a security issue as reported,

  • we need more information to proceed.

Remediation timelines are not fixed. Once remediation is implemented, we will email you a confirmation. Remediation may include mitigations, partial fixes, or a complete fix.

Conclusion

Thank you for expressing your interest in Scoro’s security practices. 

Scoro is continuously improving its security measures, policies, processes, practices, technologies, and therefore the information found in this document is subject to change. 

In case any questions or specific topics not addressed in this document arise, feel free to contact our Customer Support