Win a Peloton Bike. 🏆

Scratchpad Trust
& Security

We believe in
privacy

We will NEVER sell your data or keep it hostage.

We do not store your customer’s data by default

Think of Scratchpad as a UI layer on top of Salesforce. We’re making it easier for your team to update the data, you’re still managing it.

Data Center &
Application Security

We are hosted by Amazon Web Services (AWS) on US-based servers. AWS maintains a robust security system managed by World Class Security Experts. Review Amazon’s Security Center for more detailed information.

We built our app on Heroku, a Salesforce company. Heroku’s first value is trust. Learn more about how they exemplify trust, and what standards they’ve implemented on their security certifications and polices on Heroku’s Compliance page.

We conduct continuous network vulnerability testing and contract an independent third-party to conduct penetration testing at least annually.

We maintain disaster and incident response plans to ensure that even in the worst scenarios our team is prepared to protect your information. We test and audit these plans annually, so we’re always ready to respond.

We use Salesforce’s OAuth to authenticate users, allowing your team to access Scratchpad without entering login credentials into our system. We also work with SSO providers, like Okta.

We work to ensure that our service is always available. You can view our status page at any time to review the current status of our platform, incidents, and scheduled outages.

Data Security

We require all sensitive data, both in transit and at rest to be encrypted using strong, industry-recognized algorithms. We regularly review all encryption algorithms in use to ensure that they follow the Advanced Encryption Standard.

All encryption keys generated, stored, and managed by Scratchpad are created and stored in a manner that prevents loss, theft, or compromise.

We maintain a stringent password policy, requiring all passwords to be complex, updated from the system default, and unique.

We practice least-privileged access for all of our systems and applications. This means that the only people with access to your account and data are Scratchpad employees that require access in order to fulfill their job responsibilities. We audit access regularly to ensure that the minimum number of individuals have access to your data.

We maintain and store logs for at least 12 months to identify each Scratchpad staff member that has accessed or created an action related to customer data.  

We believe in collecting the minimum amount of data needed to ensure your account is managed and secure. We do not collect your customer’s data by default. We do offer features that allow for audit/history tracking that does require us to store some customer information. We are committed to ensuring that data remains secure and hold it to the same security standards as our own customer data.

We back up and encrypt all of our data daily, so you don’t have to worry about losing any of your account information.

Security Procedures

We require all employees and contractors to acknowledge and undergo security awareness training at the time of hire and to refresh their knowledge at least annually. Employees and contractors in developer roles are provided with Secure Development Life Cycle (SDLC) training at the time of hire and annually thereafter. This training includes acknowledgment and understanding of the OWASP Top 10 common coding vulnerabilities.

Our development process was designed to ensure that code deployments are made in a manner that maximizes site uptime, productivity, and security while minimizing the exposure to risks. We employ version control development, code reviews, automated and manual testing prior to deploying code changes.

We work diligently to ensure that our service is secure, if you believe you have found a vulnerability, please email us at security@scratchpad.com. We will work to resolve the issue quickly and follow our vulnerability disclosure policy.