LAST UPDATED: SEPTEMBER 24, 2019
This page answers frequently asked questions regarding iScout security, systems, and data backups.
iScout can be accessed via a web browser or through one of the free mobile apps:
iScout is a cloud-based application hosted on Amazon AWS. iScout is not available as a stand-alone application to be hosted and run directly within a client's own data center.
iScout database systems are backed up hourly, transferred securely to an AWS region 2,000 miles away (US West 2) from the primary storage, and stored under AES-256 encryption at 99.999999999% durability.
Hourly backups are retained for one week, daily backups for a month, weekly backups for a year, and monthly backups forever.
If your organization's record retention policies required automatic deletion of form responses (e.g. DVIR Reports) after a period of time (e.g. 90 days) then please contact the iScout Support Team to request scheduled deletion.
Cookies are a small amount of data stored on your computer or mobile device when you visit a website. Cookies are used by most service providers in order to make their websites or services work or provide reporting information. Cookies set by the service provider (in this case, iScout) are called "first party cookies". Cookies set by parties other than the website owner are called "third party cookies". Third party cookies enable third party features or functionality to be provided on or through the website or service you are using (such as mapping). The third parties that set these third party cookies can recognise your computer both when it visits the website or service in question and also when it visits certain other websites or services.
iScout uses first party and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites and Services to operate. For example, once you have signed in the system uses a first party cookie to keep track of you so you don't have to sign in every time you click a new link. Other first-party cookies such as 'last-subdomain' help iScout keep track of which site you have used most recently. This allows us the system to send you to the correct site when you login from the home page (as it is difficult for people to remember their 'domain'). For more information on cookies, please contact the iScout Support Team.
iScout databases are hosted on Amazon AWS and are managed by MongoDB (the creators of MongoDB) and Heroku (owned by SalesForce). Each database is configured with replicas and automatic failovers. All connections are made over SSL, and backups are done hourly. Read more on backups.
For the sake of security and performance, no 3rd-party client access is permitted to the iScout databases. Although a direct connection may be useful for client tools such as Power BI, Spotfire, or Tableau, the security and performance implications make this impossible. In any case, the complex structure of iScout data makes these tools less useful than groups may expect. iScout recommends using the API for accessing application data. If your group does not have an IT group that can work with the API and needs a custom report, please contact an iScout customer care representative.
Client application data is made available via the secure iScout API. The Roles and Permissions modules allows administrators to grant API permissions to their company's IT individuals. Once access is granted, the IT personnel may create API tokens (via the Control Panel) which grant programatic access to read and/or write data to/from the iScout API.
The API contains dozens of methods which are JSON, https endpoints for querying and accessing the data. Please visit the iScout API for detailed documentation, a listing of end-points, code samples, and a web-based interface for executing API requests.
If your group needs a customized export format and does not have an IT group that can work with the API, please contact an iScout customer care representative for options.
Unlike many older systems, the iScout application does not run on fixed servers that must be manually rebuilt given an outage. iScout uses "containerization" along with various dockerfiles, buildpacks, procfiles and other documented, pre-defined configuration scripts to dynamically create servers on-demand depending on site activity. Each time the application code is updated (several times per week), iScout servers are automatically rebuilt from scratch, "warmed up", and then a load balancer begins sending work and traffic to the new instances. Because of this process, it is a straightforward process to switch regions or even hosts should the need arise (e.g. Digital Ocean, Rackspace, etc).
This iScout code repository includes information and proceedures regarding disaster recovery and iScout's internal resource library houses the latest Disaster Recovery and Business Continuity Plan document.
For information on database backups, please visit the Backup Frequency & Durability section of this guide.
Note: The iScout code repository is not available for public or 3rd-party access. If you have further questions regarding iScout disaster recovery and business continuity policies or proceedures, please contact the iScout Support Team.
iScout forces all client traffic (including web browser, native apps, and api connections) to use the secure https protocol which uses TLS cryptography with 256 bit RSA Encryption. All connections between processing servers and information databases also use SSL connections exclusively. Data backups are stored under AES-256 encryption with a 99.999999999% durability rating. Learn more about backups.
The iScout web application and native apps are designed to be operational 24 hours per day and 7 days per week. Any planned downtime is guaranteed to provide at least 8 hours prior notice and typically happens during the lowest traffic periods (early am hours of Saturday or Sunday). At the writing of this guide, iScout has not had scheduled maintenance in over a year. Any unavailability caused by circumstances beyond our control, including but not limited to, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems or Internet service provider failures or delays will be addressed immediately with the highest priority.
iScout does not store passwords.
Passwords are salted and hashed using a memory & CPU intensive Argon2id algorithm.
Because of this process, it is not possible to recover a password if login credentials are lost. If a password is lost then it can be reset using the "Forgot Password" link on the login page if the employee has an email address on file. The email is used to verify the owner of the account. If the employee does not have an email address listed on their profile, then another employee at the same organization (who has been granted permission via the Roles and Permission page) will be able to manually change the password on the employee's profile page.
iScout representatives are not able to recover or reset passwords over the phone as there is no way to verify the person's identify. Companies may include contact information on the sign-in page (such as phone, email) to direct the employee who has forgotten their password.
When employee profiles are first created for your organization, the system defaults to forcing that employee to reset their password once they first sign-in to the site. This ensures that no other individual has signed in on their behalf and cuts off any further outside access. Once a password is changed, all existing logins (including the native apps) will be invalidated immediately.
iScout's information systems and technical infrastructure are hosted within Amazon AWS - a world-class, SOC 1/2/3 accredited, data center. You can read more about AWS Security or choose one of the following sub-topics:
NOTE: To request Amazon's SOC 1 or 2 report, you must make a direct request to Amazon using their Artifact Management Console. This process requires you to create a free amazon account. Viewing their artifacts require you to sign a Non-Disclosure Agreement and your copy will contain a watermark identifying you as the requestor. Because of this NDA, iScout cannot request an artifact on your behalf.
While iScout's customer data and processing servers are not hosted on-site, the company office is protected by a 24x7 security system, digital RFID cards, and individually keyed physical locks for each office.
For more information on iScout's security measures, see the Security & Compliance section below.
iScout deploys internal auditing and other logging tools to track access and modifications to the application and the application data. These auditing tools are not currently available to customers or third-party users. Should the need arise, a limited subset of this information may be made available to customers where the dataset is limited to the scope of the requestor's own application data.
It is at the discretion of each organization to define roles and permissions according to their own proceedures and best practices.
The Roles and Permissions page determines each employee's access level within a site. By default, a site will start with Employee, Manager, and Admin roles but additional roles can be added or removed. Using nearly 100 different permissions, an organization can customize the access level of each role. Each employee profile is then assigned to one specific role which dicates what data they can access or upload.
Examples of permissions include:
Any changes to the Roles and Permissions grid are immediately reflected within the site authorization for both web browsers and the native iOS/Android apps.
iScout uses Stripe for secure credit card transactions and does not receive or store credit card information directly. Stripe accepts all major credit cards including MasterCard, American Express, Discover, and more. Stripe is certified as a Level 1 PCI Service Provider.
For more information on Stripe security, visit https://stripe.com/docs/security/stripe.
iScout is SOC 2 Type II compliant. You can view the SOC 3 compliance report here (SOC 3 is a public report of internal controls audited during the SOC 2 process).
To view the iScout Subscription Agreement, please click the following image or visit https://go.iscout.com/subscription-agreement-general.
The online signup subscription agreement is available here.
iScout offers free customer support to all subscribers and subscriber employees. Application questions and other general requests are addressed promptly during standard business hours (US Central Time). Any urgent issues such as outages are addressed immediately, regardless of the time of day or day of week. Support is available in a variety of formats including:
iScout officially supports the latest two major releases of each major web browser. The free Google Chrome web browser is recommended. It is a faster, more stable, more secure browser and is available on all operating systems. If Chrome is not an option, any browser apart from Internet Explorer would be acceptable.
For the best experience on mobile devices, use the latest operating system. iScout officially supports the latest two major operating system releases (the current one and its predecessor). Within reason, attempts are made to support previous versions but compatibility can not be guaranteed.
Starting September 1, 2020 iScout will require TLS 1.2 for all browser connections. Due to known vulnerabilities in both TLS 1.0 and 1.1 they will not longer be supported. The easiest way to support TLS 1.2 is to download the free Google Chrome browser. You can verify whether your browser supports TLS 1.2 at this link.
To view the iScout Terms of Service, please click the following image or visit https://www.iscout.com/terms-of-service.
If your organization filters web or mobile traffic,
For email notifications, please whitelist
Learn more at https://iscout.com/it.
Please direct any additional questions to the iScout Support Team.