Scalar Field Cybersecurity Policy
Last Update: April 21, 2026
Scalar Field is committed to maintaining a robust cybersecurity program to protect the confidentiality, integrity, and availability of our systems and the data entrusted to us by our users. This policy outlines the key areas of our cybersecurity practices.
1. Data Classification and Handling
Scalar Field classifies data into the following categories to ensure appropriate handling and protection:
  • Personally Identifiable Information (PII): User names, email addresses, and authentication credentials. PII is collected only as necessary, stored in encrypted databases, and access is restricted to authorized personnel and services on a need-to-know basis.
  • Financial Account Data: Account identifiers and portfolio data received from connected brokerage accounts and financial services (e.g., via Plaid or brokerage OAuth). Scalar Field does not store brokerage login credentials or wallet private keys. Financial data is handled with the highest level of care and is used solely to provide requested platform features.
  • Usage and Analytics Data: Queries, session metadata, device and browser information, and IP addresses. This data is used for service improvement and analytics and is handled in accordance with our Privacy Policy.
  • Payment Data: Payment processing is handled entirely by Stripe, our PCI-DSS-compliant payment processor. Scalar Field does not directly store, process, or transmit credit card or bank account numbers.
Data handling procedures are enforced through technical controls, including role-based access, encryption, and audit logging. Employees and contractors are trained on data handling policies and are bound by confidentiality agreements.
2. Access Control and Privileged Access Management
Scalar Field enforces strict access control measures across all systems:
  • Principle of Least Privilege: Access to production systems, databases, and infrastructure is granted on a need-to-know basis and limited to the minimum permissions required to perform job functions.
  • Multi-Factor Authentication (MFA): MFA is required for all access to cloud infrastructure consoles, code repositories, deployment pipelines, and administrative interfaces.
  • Role-Based Access Control (RBAC): Access permissions are assigned based on defined roles. Privileged access to production databases and infrastructure is limited to a small set of authorized personnel.
  • Session Management: User sessions are managed via secure, HTTP-only cookies over HTTPS. Sessions expire after periods of inactivity and are revocable upon logout or account deactivation.
  • Access Reviews: Access privileges are reviewed periodically. Access is promptly revoked when personnel change roles or leave the organization.
3. Encryption of Data at Rest and in Transit
  • Data in Transit: All communications between users and the Scalar Field platform are encrypted using TLS 1.2 or higher (HTTPS). All API calls between the frontend, backend services, and third-party integrations are conducted over encrypted channels.
  • Data at Rest: Sensitive data stored in databases is encrypted at rest using AES-256 encryption (or equivalent), as provided by our cloud infrastructure provider. Encryption keys are managed through the cloud provider's key management service and are rotated in accordance with industry best practices.
  • Secrets Management: API keys, OAuth client secrets, database credentials, and other sensitive configuration values are stored in secure environment variables and secrets management systems. They are never committed to source code repositories.
4. Vulnerability Management and Patch Management
  • Dependency Scanning: Third-party libraries and dependencies are regularly audited for known vulnerabilities. Automated tools are used to monitor for newly disclosed vulnerabilities in our software supply chain.
  • Patch Management: Critical and high-severity security patches are applied promptly upon release. Non-critical patches are evaluated and applied within a reasonable timeframe as part of regular maintenance cycles.
  • Infrastructure Updates: Operating systems, runtime environments, and container images used in production are kept up to date with the latest security patches.
  • Responsible Disclosure: Scalar Field welcomes responsible security disclosures. Security researchers and users can report vulnerabilities to info@scalarfield.io.
5. Incident Response and Disaster Recovery
  • Incident Detection: Scalar Field employs monitoring and alerting systems to detect anomalous activity, unauthorized access attempts, and service disruptions in real time.
  • Incident Response Plan: A documented incident response plan is in place that defines roles, responsibilities, escalation procedures, and communication protocols. The plan covers identification, containment, eradication, recovery, and post-incident review.
  • Notification: In the event of a data breach affecting user personal information, affected users and relevant regulatory authorities will be notified in accordance with applicable laws and regulations.
  • Backups and Recovery: Critical data and systems are backed up regularly. Backups are encrypted and stored in geographically separate locations. Recovery procedures are tested periodically to ensure business continuity.
  • Business Continuity: Our infrastructure is designed for high availability with redundancy across multiple availability zones. Disaster recovery procedures are documented and maintained to minimize downtime in the event of a major incident.
6. Physical Security
Scalar Field's production infrastructure is hosted on managed cloud platforms that maintain SOC 2 Type II, ISO 27001, and other industry-standard certifications for physical security. Physical access to data centers is managed entirely by the cloud provider, with controls including biometric access, 24/7 surveillance, environmental protections, and restricted entry protocols.
Corporate workstations used by Scalar Field personnel are protected with full-disk encryption, screen lock policies, and endpoint security software. Remote access to internal systems requires VPN and multi-factor authentication.
7. Vendor Risk Management
Scalar Field relies on a limited set of third-party vendors to provide certain platform features. Each vendor is evaluated for security practices before integration:
  • Payment Processing (Stripe): PCI-DSS Level 1 certified. Scalar Field does not handle or store payment card data directly.
  • Financial Account Linking (Plaid): SOC 2 Type II certified. Handles credential verification independently. Scalar Field does not receive or store user banking credentials.
  • Brokerage Integration: Connected brokerage providers are FINRA/SIPC member firms. OAuth-based integration ensures Scalar Field never accesses or stores brokerage login credentials. Account data received is limited to what is necessary for requested platform features.
  • Cloud Infrastructure and Hosting: Production infrastructure is hosted on platforms with SOC 2, ISO 27001, and equivalent certifications.
  • Analytics: Analytics services are configured to minimize data collection and are used solely for product improvement purposes.
Vendor relationships are reviewed periodically. Contracts with vendors include data protection and confidentiality provisions. Scalar Field monitors vendor security posture and will discontinue use of any vendor that fails to maintain adequate security standards.
8. Policy Review and Updates
This Cybersecurity Policy is reviewed and updated at least annually, or more frequently as needed in response to changes in our technology, business operations, regulatory requirements, or the threat landscape. Material changes will be reflected in the "Last Update" date at the top of this page.
9. Contact Information
If you have any questions about this Cybersecurity Policy or wish to report a security concern, please contact us at: info@scalarfield.io