SIGN IN START TRACKING
REF.SEC-001

security &
trust.

UPDATED 16 JUN 2026 VERSION 1.0

BotScope is built like an instrument, and we treat the data behind it the same way. This page sets out, plainly, how we protect your data — and how to reach us if you find something we should fix.

AT A GLANCE
  • All traffic is encrypted in transit with TLS; data is encrypted at rest by our infrastructure providers.
  • Core infrastructure is hosted on reputable cloud providers in the European Economic Area.
  • Each customer's data is isolated at the database layer so one account cannot read another's.
  • Card data is handled directly by Stripe — we never see or store full card numbers.
  • Found a vulnerability? Email [email protected] — see section 11.

This page describes our current practices and commitments; it is not a contractual service-level guarantee.

CONTENTS
  1. 01 — Our approach
  2. 02 — Infrastructure & hosting
  3. 03 — Encryption
  4. 04 — Access & isolation
  5. 05 — Payments
  6. 06 — Application security
  7. 07 — Availability & backups
  8. 08 — Sub-processors
  9. 09 — Data protection
  10. 10 — Certifications
  11. 11 — Reporting a vulnerability
  12. 12 — Contact

SECT.01 Our approach.

We take a pragmatic, defence-in-depth approach to security: encrypt everything, isolate customer data, grant the least access necessary, and rely on reputable infrastructure providers rather than reinventing the hard parts. We are also honest about where we are — this page tells you what we do today, not what we aspire to.

SECT.02 Infrastructure & hosting.

BotScope runs on established cloud infrastructure. Our application back end is hosted on Amazon Web Services (AWS) in Ireland (EU). Our database and authentication run on Supabase (managed PostgreSQL). The application front end is served by Vercel, and our marketing site and edge protection run on Cloudflare. File storage uses AWS S3, and background work is handled by a managed job queue. Each of these providers maintains its own mature security programme and physical data-centre controls.

SECT.03 Encryption.

All connections to our websites and APIs are encrypted in transit using TLS (HTTPS). Data is encrypted at rest by our infrastructure providers (AWS and Supabase). Passwords are never stored in plain text — authentication credentials are salted and hashed by our authentication provider.

SECT.04 Access & isolation.

Each organisation's data is logically isolated. We enforce access at the database layer using row-level security, so that one customer's account cannot read or modify another's data. Internal access to production systems is granted on a least-privilege basis, limited to the people who need it to operate and support the Service, and is performed over authenticated, encrypted channels.

SECT.05 Payments.

Payments are processed by Stripe, a PCI-DSS Level 1 certified provider. Card details are submitted directly to Stripe and are never transmitted through or stored on our own servers. We retain only limited billing metadata — such as your plan and transaction history — needed to manage your subscription.

SECT.06 Application security.

  • Abuse protection — public forms are protected against bots and automated abuse using Cloudflare Turnstile.
  • Secure defaults — HTTPS-only, secure session cookies, and input validation throughout the application.
  • Dependency hygiene — we track and update our third-party dependencies and address known vulnerabilities as part of routine maintenance.
  • Separation of secrets — credentials and API keys are stored as environment secrets, separate from our source code.

SECT.07 Availability & backups.

We run on managed, redundant cloud infrastructure, and our database provider performs regular automated backups. We do not currently offer a formal uptime guarantee except where separately agreed with Enterprise customers. Where we need to take the Service offline for maintenance, we aim to minimise disruption.

SECT.08 Sub-processors.

We rely on a small set of vetted sub-processors to deliver the Service. The current list — and how we handle international data transfers — is set out in our Privacy Policy. Our core infrastructure is hosted in the European Economic Area; some providers operate in the United States or elsewhere, under appropriate data-transfer safeguards.

SECT.09 Data protection.

We process personal data in accordance with the UK GDPR and the Data Protection Act 2018, as described in our Privacy Policy. A data processing addendum is available to customers on request from [email protected].

SECT.10 Certifications.

We do not currently hold formal third-party certifications such as SOC 2 or ISO 27001. If your procurement process requires a security questionnaire, a data processing addendum, or other documentation, contact [email protected] and we will do our best to help.

SECT.11 Reporting a vulnerability.

We welcome reports from security researchers acting in good faith. If you believe you have found a vulnerability, please email [email protected] with enough detail for us to reproduce and investigate the issue. We will acknowledge your report and keep you updated as we work on a fix.

When researching, please act responsibly: do not access, modify or delete other users' data; do not run automated testing that degrades or disrupts the Service; and give us a reasonable opportunity to remediate before any public disclosure. We will not pursue or support legal action against researchers who follow these guidelines and act in good faith.

If a security incident affects your personal data, we will notify you and, where required, the Information Commissioner's Office, without undue delay and within the timeframes required by law.

SECT.12 Contact.

For security matters, email [email protected]. For everything else, [email protected]. BotScope is operated by KOJI STUDIO LTD, registered office Flat 24, Ferrymans Court, Queen Street, Bristol BS2 0JB.

DISCLOSURE

found something?

We read every security report and respond quickly. Tell us what you found and how to reproduce it.

[email protected]