Security Overview

Last updated July 13, 2026

Epitaph LLC builds Scribe to protect the sensitive injury, illness, and safety data employers entrust to it. This page describes the security measures actually implemented in the product today. It is a good-faith description, not a warranty or a certification.

Tenant isolation

Every organization’s data is isolated at the database layer using PostgreSQL row-level security (RLS). Access is scoped to the caller’s organization on every query, so one customer’s records are never reachable from another customer’s session.

Role-based access and PII walls

Access within an organization follows role — Admin, Manager, and General User. Injury and illness detail is protected by PII walls: General Users do not gain row access to other people’s injury records, and shared views (such as the OSHA 300 Log) withhold the names of privacy-concern cases consistent with OSHA’s recordkeeping rules. Where enabled, a safety concern can be submitted anonymously, with the reporter’s identity sealed from managers, admins, exports, and logs.

Authentication and MFA

Passwords are stored only in hashed form by our authentication provider, and new passwords are checked against known-breached-password lists. Organizations can require multi-factor authentication (TOTP) for chosen roles; when required, it is enforced on every session before protected pages load.

Audit logging

Sensitive actions — record edits, exports, role changes, case classification, and more — are written to an append-only audit log that organization admins can review.

Storage, encryption, and integrity

Photos and attachments are held in private storage buckets and served only through short-lived, server-mediated signed URLs — they are never publicly listable. Data is encrypted in transit (HTTPS/HSTS) and at rest through our infrastructure provider. Injury records use an immutable, amendment-tracked design so history is preserved, and outbound webhooks are signed so recipients can verify authenticity.

Data retention

DataRetention
Injury / illness records, cases, corrective actionsIndefinite / customer-controlled — retained for the life of the account and at least as long as the customer’s OSHA recordkeeping obligations require (records are not hard-deleted).
Audit logLife of the organization.
Photos & attachmentsLife of the record they belong to (deleted with the account).
BackupsInfrastructure provider’s point-in-time-recovery window, then cycled out.
Billing recordsHeld by Stripe under Stripe’s policies.
Email-delivery logsHeld by Resend under Resend’s policies.

On account closure, Customer Data is deleted in the ordinary course after any post-termination export window; see the Terms of Service and Privacy Policy.

Incident response

We monitor the Service for errors and abuse. If we confirm a security incident affecting a customer’s personal data, we will notify the affected customer without undue delay, targeting within 72 hours of confirmation, with the information available at the time, and will provide updates as our investigation progresses. Our breach-notification commitment to business customers is set out in our Data Processing Addendum.

Subprocessors

We rely on a small set of vetted U.S. infrastructure providers, each listed on our Subprocessors page.

Compliance posture

Scribe is not currently SOC 2 certified and we make no such claim; the controls above are designed to be aligned with recognized security practices, and the audit-log, MFA, and DPA foundations here are the basis for a future formal-assurance program. Scribe is not a HIPAA covered entity or business associate (see the Privacy Policy).

Reporting a vulnerability

If you believe you have found a security issue, please contact us at privacy@epitaph.llc so we can investigate. We appreciate responsible disclosure.