Scravio

Scravio Security

Last updated: June 6, 2026

This Security Page describes security practices used by Zorix, LLC, doing business as Scravio ("Scravio," "we," "us," or "our") to protect the Scravio website, application, APIs, infrastructure, and related services (the "Service").

This page is provided for transparency. It does not create warranties, guarantees, or contractual commitments beyond those expressly stated in the Terms of Service, Privacy Policy, or Data Processing Addendum.

1. Security overview

Scravio uses administrative, technical, and organizational safeguards designed to protect personal data, Customer Content, accounts, and Service infrastructure.

Our security program is designed around the following principles:

  1. access should be limited to authorized people and systems;
  2. data should be protected in transit and, where supported, at rest;
  3. production systems should be monitored for reliability, abuse, and security risks;
  4. changes should be reviewed and deployed with care;
  5. security incidents should be investigated and remediated promptly; and
  6. customers remain responsible for securing their own accounts, exports, integrations, devices, and downstream systems.

No internet-based service is completely secure. We cannot guarantee absolute security.

2. Access controls

Scravio uses access controls designed to restrict access to systems and data based on business need.

Controls may include:

  • role-based access controls;
  • least-privilege access practices;
  • authentication requirements for administrative systems;
  • administrative access limited to authorized personnel and service providers;
  • access removal or modification when roles change or access is no longer needed;
  • separation of customer workspaces through logical controls; and
  • review of access to sensitive systems where appropriate.

Customers are responsible for managing their own users, roles, workspace permissions, API keys, exports, and integrations.

3. Encryption and transport security

Scravio uses encryption in transit for communications with the Service where supported, such as TLS for browser and API traffic.

Data may be encrypted at rest where supported by our hosting, database, storage, and infrastructure providers.

Customers should use secure networks, keep browsers and devices updated, protect credentials, and avoid transmitting sensitive information through insecure channels.

4. Customer Content and workspace separation

The Service is designed to logically separate customer workspaces and restrict access to authorized users and systems.

Workspace owners and administrators control access to their Workspace. They are responsible for inviting appropriate users, removing users who no longer require access, reviewing permissions, and safeguarding exports.

Scravio personnel may access Customer Content only where reasonably necessary to provide, secure, troubleshoot, support, maintain, or improve the Service; prevent abuse or fraud; comply with law; or enforce our Terms.

5. Logging and monitoring

Scravio may collect security logs, authentication logs, API logs, error logs, performance data, and operational telemetry to help:

  1. detect and investigate suspicious activity;
  2. prevent abuse, fraud, and unauthorized access;
  3. troubleshoot Service issues;
  4. monitor reliability and performance;
  5. enforce usage limits and Terms; and
  6. comply with legal and security obligations.

Log retention is described in the Privacy Policy.

6. Backup and recovery

Scravio and its infrastructure providers may maintain backups or provider-managed durability controls designed to support continuity and recovery.

Backups may contain Customer Content and personal data. Backup retention is generally rolling and described in the Privacy Policy and Data Processing Addendum.

Backups are intended for disaster recovery, continuity, and security purposes. They are not guaranteed to restore individual customer records, deleted tasks, exports, or user actions.

7. Secure development and change management

Scravio uses development and deployment practices designed to reduce operational and security risk.

Practices may include:

  • code review or equivalent change review;
  • use of separate development and production environments where feasible;
  • dependency and configuration management;
  • controlled deployment processes;
  • testing for material changes where appropriate;
  • monitoring after deployment; and
  • rollback or remediation processes for material issues.

8. Vulnerability management

Scravio uses reasonable efforts to identify, assess, and remediate security vulnerabilities affecting the Service.

Vulnerability management practices may include:

  1. monitoring for security advisories affecting infrastructure, dependencies, or application components;
  2. patching or mitigating material vulnerabilities based on severity and exploitability;
  3. reviewing security issues reported by customers, researchers, providers, or internal monitoring; and
  4. improving controls based on incident learnings and operational experience.

9. Security incidents

Scravio maintains procedures to identify, investigate, contain, remediate, and notify affected customers of confirmed security incidents.

If we become aware of a confirmed breach affecting Customer Personal Data processed under the Data Processing Addendum, we will notify affected customers without undue delay, as described in the DPA.

Security incident notifications may include information reasonably available at the time, such as the nature of the incident, affected data categories, mitigation steps, and recommended customer actions.

Notification of a security incident is not an admission of fault or liability.

10. Subprocessor and vendor security

Scravio uses third-party providers to host, operate, secure, support, and process payments for the Service.

We use reasonable diligence when selecting providers that process personal data or Customer Content and require appropriate confidentiality, security, and data protection obligations.

Current subprocessors and operational providers are listed on the Subprocessor Page.

11. Payment security

Scravio does not store full payment card numbers.

Payments are processed by third-party payment providers and, where applicable, merchants of record such as Stripe or Paddle. Payment providers are responsible for handling payment card data according to their own security and compliance obligations.

Customers should review payment provider terms and security practices that apply to their checkout flow.

12. Customer security responsibilities

Customers are responsible for their own security practices when using Scravio.

You should:

  1. use strong, unique passwords;
  2. enable multi-factor authentication if available;
  3. protect API keys, access tokens, credentials, and devices;
  4. limit Workspace access to authorized users;
  5. promptly remove users who no longer need access;
  6. review exports before sharing or uploading them to other systems;
  7. secure CRM, email, storage, and other downstream systems that receive Outputs;
  8. avoid submitting sensitive personal data or prohibited data;
  9. comply with applicable laws, platform terms, and privacy requirements;
  10. notify us promptly of suspected unauthorized access; and
  11. maintain your own backups where appropriate.

13. Prohibited security testing

You must not conduct penetration testing, vulnerability scanning, automated security testing, load testing, denial-of-service testing, credential stuffing, social engineering, spam testing, scraping tests, or similar testing against the Service without our prior written authorization.

Unauthorized testing may result in suspension or termination and may be reported to providers or authorities where appropriate.

14. Reporting security concerns

Please report suspected security vulnerabilities or unauthorized access to:

Email: [email protected]

Include as much detail as possible, such as:

  • affected URL, endpoint, account, or Workspace;
  • steps to reproduce;
  • screenshots or logs;
  • potential impact;
  • your contact information; and
  • whether Customer Content or personal data may be affected.

Do not access, modify, delete, copy, disclose, or exfiltrate data that does not belong to you. Do not disrupt the Service or other users.

15. Security documentation

Customers may request additional security information by contacting [email protected].

We may provide security documentation, questionnaires, summaries, or audit information under confidentiality obligations where available and appropriate.

We do not claim SOC 2, ISO 27001, HIPAA, PCI DSS certification, or any other certification unless expressly stated in writing by Scravio.

16. Changes to this page

We may update this Security Page from time to time. The updated version applies from the posted Last Updated date.