Trust & Security

Built so your organisation's data stays yours

This page is maintained by Prevailing Ideas (Pty) Ltd to answer common security and privacy questions about Scorecard Keeper. It describes the controls enabled in the product today — it is not an independent certification.

Tenant isolation

Row-level security enforces per-organization data boundaries at the database layer.

Encryption

TLS in transit. AES-256 at rest for database and object storage.

Authentication

Hashed passwords, short-lived JWT sessions, password reset via signed links.

Audit log

Sensitive changes (risks, appraisals, role grants) are recorded with actor and timestamp.

Private evidence files

Evidence uploads are stored in private buckets and served via short-lived signed URLs.

Backups

Managed database with automated point-in-time recovery; backups age out on the same retention cycle as production.

Access control

Every API call is authenticated. The database enforces row-level security policies so a user can only read and write rows belonging to their organization, and only for the role they have been granted (member, organization admin, or super admin). Roles are stored in a separate user_roles table — never on the profile — to prevent client-side privilege escalation.

Hosting and sub-processors

Scorecard Keeper runs on Lovable Cloud, which provides hosting, the PostgreSQL database, authentication, and object storage. Transactional emails (password resets, invitations) are delivered through Lovable Email from notify@accotrack.app. These are our only sub-processors that handle personal data today.

Data protection alignment

We design the product to support our customers' obligations under:

  • GDPR (EU/UK) — lawful basis, data-subject rights, sub-processor disclosure, breach notification.
  • POPIA (South Africa) — purpose specification, security safeguards, operator obligations.
  • CCPA / CPRA (California) — access, deletion, opt-out of sale (we do not sell data).
  • Data Protection Act, 2018 (Botswana) — controller/processor responsibilities and data-subject rights.

These statements describe how the product is built. Whether your specific use of Scorecard Keeper complies with a given law also depends on your own organization's policies and decisions. We are not certified under SOC 2, ISO 27001, HIPAA, or PCI DSS and we do not claim to be.

Retention and deletion

Application data is retained for the life of your organization's account. When an organization is deleted, data is held for 90 days and then permanently removed from production systems and backups. Individual users may request deletion of their personal data at any time by emailing support@accotrack.app.

Incident response

Suspected security issues should be reported to support@accotrack.app with the subject line "Security". We acknowledge reports within two business days. In the event of a confirmed personal-data breach we will notify affected organization administrators and the relevant supervisory authority within the timelines required by applicable law (72 hours under GDPR).

Your rights as a data subject

You may request access, correction, export, or deletion of your personal data, and you may object to or restrict certain processing. Full details and contact procedure are in our Privacy Policy.

Maintained by Prevailing Ideas (Pty) Ltd. Contact support@accotrack.app.Privacy policy →