Security

We're still drafting the full security overview. The short version:

• Scopivo runs on Google Cloud and Firebase. Authentication is handled by Firebase Auth.
• Documents and account data live in Firestore behind security rules that scope every read and write to the owning organization.
• Logos and other assets sit in private Google Cloud Storage and are served via short-lived signed URLs, never public links.
• Public document links (proposals, contracts, invoices) are gated by unguessable share tokens, scoped per document, and revoked when the document is moved back to draft or cancelled.
• Public client-facing forms (intake, booking) are protected by Cloudflare Turnstile and per-IP rate limiting.
• Payments are processed by Stripe; Scopivo never sees full card numbers.

Found something concerning? Please email hello@scopivo.com with details and we'll respond quickly.