Security & Data Overview

Security is our top priority at Scalr and we thank you for the trust you put in us.

If your question is not answered after reviewing the information below, please contact us by opening a support ticket and we’ll make sure to get you an answer.

Trust Center

You can request many of our security documents, such as the SOC2 report and our penetration tests at trust.scalr.io.

Compliance

Certifications

The scalr.io platform and all processes surrounding the Scalr platform are governed by SOC2 type 2 controls. You can obtain a copy of the SOC2 Type 2 report by opening a ticket at support.scalr.com.

Network & Data

Data Hosting

Scalr uses the Google Compute Platform for hosting services and data storage, which is located in the United States. The high-level architecture can be found here.

Encryption

All data is encrypted in transit and at rest. See more about Google encryption here.

TLS

All connections made with Scalr.io are over TLS.

Penetration Testing

Scalr hires an external agency to perform penetration testing at least once a year, the report can be provided by opening a ticket at support.scalr.com.

Security Scanning

The Scalr team has implemented advanced security scanning, which is done on every code pull request and commit.

Product Security Features:

SAML

Scalr supports all SAML 2.0 providers as well as the SCIM protocol to seamlessly manage users.

Password Storage & Encryption

If you choose to use local authentication, Scalr enforces complex passwords and only stores the hashed version.

IAM

IAM is a differentiator of Scalrs with the ability to create roles for every type of user from 120+ permissions assigned at multiple scopes in the product.

Self-Hosted Agents

Scalr offers two types of agents, run or VCS agents. In either scenario, you will never have to open network access from Scalr.io to your network as the implemented technology uses a secured HTTPS relay.

A run agent allows you to execute Terraform runs on the infrastructure of your choice.

A VCS agent allows Scalr and your firewalled-off VCS provider to work together seamlessly.

Provider Configurations

Provider configurations are a way to authenticate to a provider without having to hand out credentials to your end users. All configurations are encrypted and never exposed in any output.

OPA Policies

The Scalr integration with Open Policy Agent allows you to write policies against Terraform code to ensure your users are deploying in a secure and compliant way.

Reporting

Scalr reports give you visibility into Terraform versions, modules, providers, and resources in a single place. The reports can be used to identify vulnerable versions being used in your environment, if modules are being pulled from an unauthorized source, and more.

Sensitive Variables

All variables marked as sensitive are stored encrypted and never exposed in any output.

General Questions

I don’t want to store credentials in Scalr.io, what are my options?

You have the option of using self-hosted agents and assigning an instance profile to the agent which will inherit the permissions structure of the instance profile. You can also use various secret managers to pull the credentials from.

What are my options for storing data?

By default, all data is stored in Scalr in GCP in US regions.
On brand-new accounts, you have the option of storing all blob objects (state, TF code, variables, etc) in a customer-owned GCP bucket.
All other objects (i.e. Scalr environment, workspace, etc) data are stored in Scalr-owned infrastructure.

How can I pull from a VCS provider behind a firewall?

Self-hosted VCS agents provide a method to pass information from the VCS provider to scalr.io without having to open the provider to the Internet. An HTTPS relay is opened, which allows both parties to pass information back and forth without access to scalr.io being established.

How can I restrict network access to my account?

Scalr offers account fencing, which only allows network access to approved IPs. More information can be found here.

Is MFA available?

We suggest using a SAML provider for all authentication, including MFA. In the event that this is not an option, we support TOTP Authenticator MFA.