Security

How we protect your work.

This page is maintained by the Scriba team to answer common security and privacy questions about the product. It is not an independent audit.

Last updated July 7, 2026

Access and authentication

Sign-in is delegated to Google OAuth — Scriba never sees your Google password. Sessions are refreshed automatically and revoked when you sign out. You can revoke Scriba's access to your Google account at any time from your Google security settings.

Data storage and isolation

Your notes, briefs, highlights, and outlines are stored in a managed Postgres database with row-level security enforced at the database layer. Each row is scoped to the account that created it — cross-account reads are blocked by the database itself, not just by application code.

PDFs and syllabi you upload go into private object storage. Signed URLs are short-lived and never expose bucket-wide access.

Encryption

All traffic between your browser and Scriba is encrypted with TLS 1.2+. Data at rest is encrypted by the underlying storage provider using AES-256. Encrypted daily backups are retained for point-in-time recovery.

What we send to AI, and what we don't

The assistant only receives passages you have highlighted in the Reader — not the full opinion, and not your notes. Nothing you write is used to train a public model. Requests to the model provider are made server-side, so your API session never leaves our infrastructure. See the full AI disclosure for the exact prompt scaffolding we use.

Payments

We do not store card numbers. Checkout, subscription state, and refunds are handled by Stripe; we only store the Stripe customer id and subscription status. See the refund policy.

Access controls and logging

Production database access is limited to a small number of engineers, protected by hardware-key MFA. Support access to a specific account requires you to open a ticket, and every read is logged. We do not read your notes to build features.

Data portability and deletion

You can export every brief, note, and outline as Markdown from the app at any time. Deleting your account removes your data from live systems immediately and purges it from backups within 30 days.

Report a vulnerability

Please email security@scriba.live with details and reproduction steps. We reply within 72 hours and credit responsible disclosure in our changelog. Please do not run automated scans that create synthetic accounts or generate load; reach out first and we will set up a test account.

Frequently asked

Where is my data stored?
In a managed Postgres database hosted in the United States. Backups are encrypted at rest and retained for point-in-time recovery.
Do you use my notes to train AI models?
No. Nothing you write in Scriba is used to train a public model. The AI assistant only sees passages you have highlighted in the Reader, and only when you explicitly ask a question.
Who at Scriba can see my briefs?
By default, no one. Support access is opt-in per ticket and logged. We do not read notes to build features.
What happens if I delete my account?
Your notes, briefs, and highlights are removed from live systems immediately and purged from backups within 30 days.