Security Overview
Last updated July 13, 2026
Epitaph LLC builds Scribe to protect the sensitive injury, illness, and safety data employers entrust to it. This page describes the security measures actually implemented in the product today. It is a good-faith description, not a warranty or a certification.
Tenant isolation
Every organization’s data is isolated at the database layer using PostgreSQL row-level security (RLS). Access is scoped to the caller’s organization on every query, so one customer’s records are never reachable from another customer’s session.
Role-based access and PII walls
Access within an organization follows role — Admin, Manager, and General User. Injury and illness detail is protected by PII walls: General Users do not gain row access to other people’s injury records, and shared views (such as the OSHA 300 Log) withhold the names of privacy-concern cases consistent with OSHA’s recordkeeping rules. Where enabled, a safety concern can be submitted anonymously, with the reporter’s identity sealed from managers, admins, exports, and logs.
Authentication and MFA
Passwords are stored only in hashed form by our authentication provider, and new passwords are checked against known-breached-password lists. Organizations can require multi-factor authentication (TOTP) for chosen roles; when required, it is enforced on every session before protected pages load.
Audit logging
Sensitive actions — record edits, exports, role changes, case classification, and more — are written to an append-only audit log that organization admins can review.
Storage, encryption, and integrity
Photos and attachments are held in private storage buckets and served only through short-lived, server-mediated signed URLs — they are never publicly listable. Data is encrypted in transit (HTTPS/HSTS) and at rest through our infrastructure provider. Injury records use an immutable, amendment-tracked design so history is preserved, and outbound webhooks are signed so recipients can verify authenticity.
Data retention
| Data | Retention |
|---|---|
| Injury / illness records, cases, corrective actions | Indefinite / customer-controlled — retained for the life of the account and at least as long as the customer’s OSHA recordkeeping obligations require (records are not hard-deleted). |
| Audit log | Life of the organization. |
| Photos & attachments | Life of the record they belong to (deleted with the account). |
| Backups | Infrastructure provider’s point-in-time-recovery window, then cycled out. |
| Billing records | Held by Stripe under Stripe’s policies. |
| Email-delivery logs | Held by Resend under Resend’s policies. |
On account closure, Customer Data is deleted in the ordinary course after any post-termination export window; see the Terms of Service and Privacy Policy.
Incident response
We monitor the Service for errors and abuse. If we confirm a security incident affecting a customer’s personal data, we will notify the affected customer without undue delay, targeting within 72 hours of confirmation, with the information available at the time, and will provide updates as our investigation progresses. Our breach-notification commitment to business customers is set out in our Data Processing Addendum.
Subprocessors
We rely on a small set of vetted U.S. infrastructure providers, each listed on our Subprocessors page.
Compliance posture
Scribe is not currently SOC 2 certified and we make no such claim; the controls above are designed to be aligned with recognized security practices, and the audit-log, MFA, and DPA foundations here are the basis for a future formal-assurance program. Scribe is not a HIPAA covered entity or business associate (see the Privacy Policy).
Reporting a vulnerability
If you believe you have found a security issue, please contact us at privacy@epitaph.llc so we can investigate. We appreciate responsible disclosure.