ScamDrill teaches people to be skeptical of email and text messages — so we expect you to be skeptical of us, too. This page explains exactly how we protect family and organization data, what we collect, and where our compliance program stands.
No vague reassurances — these are the specific controls running in production today.
All traffic is served over TLS with HTTP Strict Transport Security enforced, and data is encrypted at rest in our database infrastructure. There is no unencrypted path to ScamDrill.
Every family's and every organization's data is segregated with row-level security policies enforced by the database itself — not just by application code. A query for one organization physically cannot return another organization's rows.
Accounts support passkey-based two-factor authentication backed by your device's hardware, sign-in codes are strictly rate-limited, and organization admins can require a second factor for their whole team.
Payments are processed end-to-end by Stripe, a certified PCI Level 1 service provider. ScamDrill never sees, stores, or transmits your card number.
Nobody receives a ScamDrill text message without explicitly opting in first, and every SMS drill can be stopped instantly by replying STOP. Learners are participants, not targets.
Organization webhook deliveries are signed with HMAC-SHA256 so your systems can verify every payload genuinely came from ScamDrill, with automatic retries and backoff built in.
Every page ships with a Content Security Policy, clickjacking protection, strict referrer handling, and HSTS. You can verify these headers yourself from any browser's developer tools.
We never sell personal data, never share learner data with advertisers or data brokers, and never use training results for anything except training. Our privacy policy spells this out in plain English.
Most breaches start with a shortcut. These are the ones we refuse to take.
Changes go through security-focused review before they ship, with periodic deep reviews of the full codebase covering injection, access control, and abuse paths.
Every database schema change is exercised against a replica database with equivalence tests before it touches production data.
A small, single-product codebase means a confirmed security issue is typically patched and deployed the same day — not routed through a quarterly release train.
We'd rather show you an honest roadmap than a wall of borrowed badges. Last updated June 12, 2026.
Encryption in transit and at rest, database-level tenant isolation, strict security headers, rate limiting, signed webhooks, and consent-gated messaging — everything described above is live today.
The paperwork buyers ask for:
A standard Data Processing Agreement is available for organization customers — request a copy.
Our path to a SOC 2 report, in order:
We'll publish progress on this page rather than claim it early. Need to assess us before then? We're glad to complete your security questionnaire — contact us.
We use a small set of established providers to deliver the service, each under data-protection terms. All core data processing happens in the United States.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | US (Virginia) |
| Vercel | Application hosting & scheduled jobs | US |
| Stripe | Payments & subscription billing | US |
| Twilio | SMS delivery (simulations & verdicts) | US |
| Resend | Transactional & inbound email | US |
| WorkOS | SSO & directory sync (SCIM) | US |
| Anthropic | AI email analysis (paid orgs only) | US |
| Upstash | Rate limiting & short-lived caching | US (Virginia) |
| Sentry | Error monitoring (PII suppressed) | US |
| Cloudflare | Bot protection (CAPTCHA) | Global |
Google Analytics/Ads and the Meta Pixel run only on our marketing site and only with cookie consent; they don't process learner or account data. Organization customers can request advance notice of new subprocessors at privacy@scamdrill.com.
We keep data only as long as it serves a purpose, then dispose of it. The main windows:
Kept while your subscription is active, and after cancellation so you can reactivate. We delete it whenever you ask — email privacy@scamdrill.com or use the in-app account-deletion option, which removes your data in full.
We store only the verdict metadata — a risk score and which red flags matched — never the message itself, and only for 13 months.
Retained for one year to support incident investigation, then permanently disposed of.
Page-view data for 90 days and session records for 30 days. Our first-party analytics use a session ID, not your IP address.
Want to access, export, correct, or delete your data? Email privacy@scamdrill.com and we'll respond within 30 days.
If you believe you've found a security issue in ScamDrill, please report it through our contact page with enough detail to reproduce it. We read every report, respond promptly, and won't pursue good-faith research conducted without harming user data or service availability.
Surprisingly little: a name, an email address, and — only if you enable SMS drills — a phone number with the learner's explicit consent. Simulations don't require access to your inbox, your contacts, or any sensitive records. We track how learners respond to drills because that's the product; we don't collect anything beyond it.
No. Drill landing pages teach the lesson at the moment of the click — they never capture, transmit, or store anything a learner types. A simulation's job is to build the instinct, not to harvest data.
Yes. SMS participation requires opt-in to begin with, replying STOP to any text ends SMS drills immediately, and organization admins can remove any member from campaigns. For families, the account owner controls every learner's participation.
Yes — contact us and we'll turn it around quickly. This page covers the most common questions, and we're direct about what's in place versus what's on the roadmap.
Your data stays yours. Organization admins can export reports before canceling, and you can request deletion of your account data via our contact page — see the privacy policy for retention details.
Explore the product yourself — no sales call, no quote form, pricing already published.
Protecting your family instead? Take the family tour