Scoro Security Overview

Scoro is available to our clients as Software-as-a-Service or SaaS. This means that an instance of the software is created for each customer and they can access it wherever they are. The platform and its data are accessible through many mediums: web, mobile app, Zapier, and API.

The software contains a lot of features in itself, but also acts as a hub integrating external services such as Xero, Quickbooks, and other financial systems; email; reporting suites and thousands of other applications available through Zapier.

Having this much data and different access points to it is a lot of responsibility. Scoro is adamant about data security and we put a lot of effort into making sure our customers’ data is protected from unwanted parties. The security is controlled on many levels. Within each site, there are possibilities to grant access rights to different user groups. Permissions for integrating external products or exposing data over the API can be set for each service and are managed by the site’s admin. The software is tested yearly for different attack vectors.

Scoro software is hosted around the globe in different data centers. This both improves the speed of delivery and also allows our clients to resolve government and other regulations they may need to uphold. The security and availability of each data center is managed by proficient providers and is often verified by us and external partners.

Scoro understands the risks related to data security and works proactively to manage and resolve them. Below is a detailed overview of how Scoro handles, stores and secures the data across all data centers.

Upgrades and Maintenance

Scoro has regular maintenance windows for updates and backup. Backups are made nightly and do not affect user experience. During updates, Scoro services are not available for users. This usually takes 30 seconds, but on rare occasions and for larger sites a bit longer.

Scoro has a regular update and improvement cycle. In 2018, there were 10 major releases or versions. Minor upgrades are released only for security or user experience improvement purposes and are done without interfering with the user.

All the upgrades are mandatory, i.e. Scoro clients cannot opt out of service pack upgrades. However, it is possible to postpone the upgrade to a suitable time within designated limits.

We make sure that upgrades won’t break external client integrations. This is done by versioning the API and making sure the API stays backwards compatible.

Logging and System Management

Scoro logs end-user and administrator actions in Activity Logs. This is available to the clients as well with only specific users having access. The general types of events that are logged are user-based activities (adding, modifying, exporting, deleting, logging in and out, importing, modifying statuses) in all modules of the platform.

All logged events can be sent to the dashboard or to connected systems via webhooks. Site administrators can create custom system management dashboards or populate existing dashboards with metrics from the Scoro API.

Scoro does not limit the size of the logs, the logs are removed from the system after three years.

Hosting Infrastructure, Backup and Disaster Recovery

The data centers are provided by Scoro’s trusted partner Linx Telecommunications BV. The data centers are rated using Uptime Institute tier ratings with Tier2 level and certified with ISO 9001 and ISO 27001. In Australia and Canada, Scoro partners with Amazon Web Services.

The customers are not permitted to visit and tour the data center facilities.

The documented plans for recovering Scoro’s operations and network connectivity in the event of a local or regional disaster are storing backups in multiple locations. The data recovery plans are refreshed and updated yearly.

The Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for Scoro customers’ hosted instances are up to 4 hours for the whole site accordingly. This means that within 4 hours all sites should be reverted to a working mode.

Scoro backups sites’ database and files daily.

Scoro tests the process of restoring backups is weekly. We validate the files integrity and run regression tests.

Integration, Data Import, Export and Location

Scoro exposes web services over an API – an interface for accessing customer’s Scoro account data using HTTPS and JSON. See the API description. The API makes it easy to create web and desktop applications that integrate with customer’s data in Scoro.

Scoro API allows reading and writing structured information to and from the customer’s Scoro account. We recommend using the API for inbound data from external services and/or 3rd party providers.

Available object types that are accessible via the API are listed in general Scoro API description.

Scoro supports File Transfer Protocol (FTP), Dropbox and GoogleDrive for external file storage.

Scoro customers can export data from Scoro to their own solutions by extracting export files in CSV, XLS or XLSX formats.

Performance and Benchmarking

Scoro system runs on multiple data centers and includes both private servers and cloud platforms. The computing power can be expanded or decreased based on the usage requirements.

Customer environments are vertically scalable. Depending on the usage levels, we can move the site to other, larger or quicker hardware solutions.

Scoro is continuously working on making the product faster. This includes improving the code base and also testing new solutions.

Architecture and Supported Platforms

Scoro can be used with any modern web browser.

The system works on all desktop/laptop operating systems (Windows, Macintosh, etc.).

Scoro supports the main modern smartphone and tablet operating systems (iOS, Android, etc.), limited to a browser.

Security

Scoro ranks the sensitivity of data storage and transportation. We employ special measures when handling more sensitive data.

Scoro’s information security controls are certified by Clarified Security OÜ. Our employees receive security trainings on a regular basis.

Currently Scoro does not support any customer’s own internal Single Sign-On (SSO) infrastructures. A solution is in the product roadmap and will be implemented as soon as possible.

Scoro does not provide tokens as secondary authentication for read-and-signs or electronic signatures for certificates.

For client-side implementations of Scoro (including browser version, offline access version (the app), tablet and smartphone versions), some of the data is cached client-side. The data is deleted at customer’s session termination.

Scoro implements a tandem approach to data storage, meaning that the backup server is fully functional and contains all of the data.

The mechanisms, policies, and procedures in use for safeguarding stored data are in compliance with ISO 9001 and ISO 27001 certifications the data centers possess (use of intrusion detection, antivirus, firewalls, vulnerability scanning, penetration testing, encryption, authentication and authorization protections and policies, including those involving passwords, removal of unnecessary network services, limiting of administrative access, code review, logging, employee training and other relevant safeguards).

Scoro uses HTTPS encryption protocol for every transaction. All passwords are encrypted with an aes-256-cbc cipher.

The threat of information being mistakenly disclosed to unauthorized people, is addressed by issues of awareness and training, removal of unnecessary data (electronic and paper), use of screen savers and lockouts, limiting storage of confidential data on remote devices, verification of identity of individuals requesting access, and other relevant safeguards that enforce the principle of “need to know.”

The threat of information knowingly being misused by Scoro’s workforce and contractors is addressed by issues of strong sanctions policy and practice, background checks, role-based access to information, oversight of data authorization by supervisor, terminating access to data for terminated employees and employees changing job functions, prohibition on sharing passwords, and other relevant safeguards.

The threat of physical theft or loss of data is being addressed by policies on the storage of confidential data on laptops, PDAs, USB drives and other portable devices, encryption of data on portable devices, removal of unnecessary information, physical protection of desktops and servers, and other relevant safeguards.

The controls in use to address community concerns regarding privacy practices are being covered in Terms of Use and are listed in Appendix 1.

For credit-card based and other e-commerce transactions executed through Scoro, the transaction security is being assured by Scoro trusted partner Adyen. Scoro does not store any information regarding customer’s credit cards except expiration date and last four digits of the credit card to show to the client what card is being used.

Scoro supports Secure Sockets Layer with 128-bit or stronger encryption for connecting to the application.

Scoro hosting environments provide redundancy and load balancing for firewalls, intrusion prevention and other critical security elements.

Scoro performs external penetration tests at least quarterly and internal network security audits at least annually. These audits structured per the OWASP Application Security Verification Standard.

Scoro provides protection for denial-of-service attacks against hosted solution.

The customers of Scoro have their own databases and own application directories

There are internal background checks on personnel with administrative access to servers, applications and customer data. 3 members of Scoro are dedicated to application and infrastructure security.

Scoro’s helpdesk is managed via email, no external access to the customer is given.

Download the Security Overview PDF