01Our security approach

Scurry processes meeting transcripts and sends follow-up emails from your own mailbox. That means we touch sensitive business conversations, so we design for the principle of least access: collect the minimum, hold it for the shortest time, and never use it for anything you did not ask for.
This page describes the controls in place today. As Scurry grows, these practices will be expanded, and any material change will be reflected here with an updated date.
Entity: GoScurry FZCO, registered under IFZA, Dubai, UAE.

02Hosting & infrastructure

Scurry runs on secure, enterprise-grade data center infrastructure located in Germany. Physical security, power, and network redundancy are managed by the underlying data center provider.
Production systems are isolated from development and testing environments. Access to production infrastructure is restricted to authorized personnel only.
Data is encrypted both in transit and at rest (see Encryption below).

In transit: all traffic between you, Scurry, and the services we connect to is encrypted using TLS 1.2 or higher. We do not serve any part of the application over unencrypted HTTP.
At rest: stored data, including transcripts and generated sequences, is encrypted on disk using industry-standard AES-256 encryption.
Authentication tokens for connected services are encrypted and stored separately from your content.

Scurry connects to Gmail and Outlook through OAuth. You authorize the connection through Google or Microsoft directly, and you can revoke it at any time from your own account settings. We never see or store your email password.
We request the minimum scopes required to send the follow-up sequences you approve. Scurry does not read, scan, or index your existing inbox.
Emails are sent from your own mailbox, so replies thread naturally and land where your prospects expect. Scurry is not a relay or a shared sending domain.

Questions about scopes? hello@goscurry.ai

To generate sequences, transcript content is processed by third-party AI infrastructure providers operating under data processing agreements with zero-retention policies. Your content is processed in real time and is not stored or used for model training by these providers.
We do not sell your data, and we never feed your content into external model training pipelines.
We may use aggregated, non-identifying signals internally to improve Scurry's prompts and output quality. Your actual conversations stay yours.

We retain your data only as long as needed to provide the service. You can request deletion of your account and associated content at any time.
When you delete content or disconnect an integration, the associated data is removed from active systems, and backups age out on a rolling schedule.
To request export or deletion, contact us at hello@goscurry.ai.

Access to systems that hold customer data is restricted to authorized team members on a need-to-know basis and protected by strong authentication.
Administrative access is logged, and credentials are rotated when team members change roles or leave.
We follow the principle of least privilege across both our own systems and the third-party services we use.

Code changes are reviewed before they reach production, and dependencies are monitored for known vulnerabilities.
Secrets and API keys are stored in a secured secrets manager, never in source code.
We design integrations to fail safe: if a connected service is unavailable, sequences pause rather than send incorrectly.

Scurry relies on a small set of trusted subprocessors for hosting, AI processing, and email delivery through your own provider. Each operates under a data processing agreement.
We use third-party AI infrastructure providers under zero-retention agreements and do not disclose the specific providers publicly. We are happy to discuss our subprocessor list with prospective customers under NDA.

Customer data is stored in secure data centers in Germany. Where data is processed by subprocessors located elsewhere, that processing is governed by data processing agreements with appropriate safeguards.
For full detail on how we handle personal data, see our Privacy Policy.

We monitor our systems for unusual activity and maintain a process for responding to security incidents.
If a security incident affects your data, we will notify affected customers without undue delay and provide the information you need to respond.

If you believe you have found a security vulnerability in Scurry, we want to hear from you. Please email the details to hello@goscurry.ai and give us a reasonable window to investigate and respond before any public disclosure.
We appreciate responsible disclosure and will work with you to confirm and address valid reports.

Security contact: hello@goscurry.ai

For security questions, due-diligence requests, or to report a vulnerability, reach out directly and we will get back to you.