Security & Backups


LAST UPDATED: SEPTEMBER 24, 2019

This page answers frequently asked questions regarding iScout security, systems, and data backups.






Apps

iScout can be accessed via a web browser or through one of the free mobile apps:

Application Hosting

iScout is a cloud-based application hosted on Amazon AWS. iScout is not available as a stand-alone application to be hosted and run directly within a client's own data center.

Backup Frequency and Durability

iScout database systems are backed up hourly, transfered securely to an AWS region 2,000 miles away (US West 2) from the primary storage, and stored under AES-256 encryption at 99.999999999% durability.

Hourly backups are retained for one week, daily backups for a month, weekly backups for a year, and monthly backups forever.

If your organization's record retention policies required automatic deletion of form responses (e.g. DVIR Reports) after a period of time (e.g. 90 days) then please contact the iScout Support Team to request scheduled deletion.

Cookie Policy

Cookies are a small amount of data stored on your computer or mobile device when you visit a website. Cookies are used by most service providers in order to make their websites or services work or provide reporting information. Cookies set by the service provider (in this case, iScout) are called "first party cookies". Cookies set by parties other than the website owner are called "third party cookies". Third party cookies enable third party features or functionality to be provided on or through the website or service you are using (such as mapping). The third parties that set these third party cookies can recognise your computer both when it visits the website or service in question and also when it visits certain other websites or services.

iScout uses first party and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites and Services to operate. For example, once you have signed in the system uses a first party cookie to keep track of you so you don't have to sign in every time you click a new link. Other first-party cookies such as 'last-subdomain' help iScout keep track of which site you have used most recently. This allows us the system to send you to the correct site when you login from the home page (as it is difficult for people to remember their 'domain'). For more information on cookies, please contact the iScout Support Team.

Database Services

iScout databases are hosted on Amazon AWS and are managed by MongoDB (the creators of MongoDB) and Heroku (owned by SalesForce). Each database is configured with replicas and automatic failovers. All connections are made over SSL, and backups are done hourly. Read more on backups.

For the sake of security and performance, no 3rd-party client access is permitted to the iScout databases. Although a direct connection may be useful for client tools such as Power BI, Spotfire, or Tableau, the security and performance implications make this impossible. In any case, the complex structure of iScout data makes these tools less useful than groups may expect. iScout recommends using the API for accessing application data. If your group does not have an IT group that can work with the API and needs a custom report, please contact an iScout customer care representative.

Data Extraction

Client application data is made available via the secure iScout API. The Roles and Permissions modules allows administrators to grant API permissions to their company's IT individuals. Once access is granted, the IT personnel may create API tokens (via the Control Panel) which grant programatic access to read and/or write data to/from the iScout API.

The API contains dozens of methods which are JSON, https endpoints for querying and accessing the data. Please visit the iScout API for detailed documentation, a listing of end-points, code samples, and a web-based interface for executing API requests.

If your group needs a customized export format and does not have an IT group that can work with the API, please contact an iScout customer care representative for options.

Disaster Recovery & Business Continuity

Unlike many older systems, the iScout application does not run on fixed servers that must be manually rebuilt given an outage. iScout uses "containerization" along with various dockerfiles, buildpacks, procfiles and other documented, pre-defined configuration scripts to dynamically create servers on-demand depending on site activity. Each time the application code is updated (several times per week), iScout servers are automatically rebuilt from scratch, "warmed up", and then a load balancer begins sending work and traffic to the new instances. Because of this process, it is a straightforward process to switch regions or even hosts should the need arise (e.g. Digital Ocean, Rackspace, etc).

This iScout code repository includes information and proceedures regarding disaster recovery and iScout's internal resource library houses the latest Disaster Recovery and Business Continuity Plan document.

For information on database backups, please visit the Backup Frequency & Durability section of this guide.

Note: The iScout code repository is not available for public or 3rd-party access. If you have further questions regarding iScuot disaster recovery and business continuity policies or proceedures, please contact the iScout Support Team.

Encryption

iScout forces all client traffic (including web browser, native apps, and api connections) to use the secure https protocol which uses TLS cryptography with 256 bit RSA Encryption. All connections between processing servers and information databases also use SSL connections exclusively. Data backups are stored under AES-256 encryption with a 99.999999999% durability rating. Learn more about backups.

Maintenance and Availability

The iScout web application and native apps are designed to be operational 24 hours per day and 7 days per week. Any planned downtime is guaranteed to provide at least 8 hours prior notice and typically happens during the lowest traffic periods (early am hours of Saturday or Sunday). At the writing of this guide, iScout has not had scheduled maintenance in over a year. Any unavailability caused by circumstances beyond our control, including but not limited to, acts of God, acts of government, flood, fire, earthquakes, civil unrest, acts of terror, strikes or other labor problems or Internet service provider failures or delays will be addressed immediately with the highest priority.

Passwords & Credentials

iScout does not store passwords.

Passwords are salted and hashed using a memory & CPU intensive Argon2id algorithm.

Because of this process, it is not possible to recover a password if login credentials are lost. If a password is lost then it can be reset using the "Forgot Password" link on the login page if the employee has an email address on file. The email is used to verify the owner of the account. If the employee does not have an email address listed on their profile, then another employee at the same organization (who has been granted permission via the Roles and Permission page) will be able to manually change the password on the employee's profile page.

iScout representatives are not able to recover or reset passwords over the phone as there is no way to verify the person's identify. Companies may include contact information on the sign-in page (such as phone, email) to direct the employee who has forgotten their password.

When employee profiles are first created for your organization, the system defaults to forcing that employee to reset their password once they first sign-in to the site. This ensures that no other individual has signed in on their behalf and cuts off any further outside access. Once a password is changed, all existing logins (including the native apps) will be invalidated immediately.

Physical Security

iScout's information systems and technical infrastructure are hosted within Amazon AWS - a world-class, SOC 1/2/3 accredited, data center. You can read more about AWS Security or choose one of the following sub-topics:

  • All Compliance Programs - including SOC 1, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, and more
  • SOC FAQ - specifically covers AWS SOC compliance. The SOC 3 artifact is available for public download. Follow these steps to request an SOC 1 or 2 artifact from Amazon.
  • AWS Security Bulletins - a live feed of any security related alerts published by AWS

NOTE: To request Amazon's SOC 1 or 2 report, you must make a direct request to Amazon using their Artifact Management Console. This process requires you to create a free amazon account. Viewing their artifacts require you to sign a Non-Disclosure Agreement and your copy will contain a watermark identifying you as the requestor. Because of this NDA, iScout cannot request an artifact on your behalf.

While iScout's customer data and processing servers are not hosted on-site, the company office is protected by a 24x7 security system, digital RFID cards, and individually keyed physical locks for each office.

Privacy Policy

To view the iScout Privacy Policy, please click the following image or visit https://www.iscout.com/privacy-policy.

privacy policy

Request / Audit Logging

iScout deploys internal auditing and other logging tools to track access and modifications to the application and the application data. These auditing tools are not currently available to customers or third-party users. Should the need arise, a limited subset of this information may be made available to customers where the dataset is limited to the scope of the requestor's own application data.

Roles & Permissions

It is at the discretion of each organization to define roles and permissions according to their own proceedures and best practices.

The Roles and Permissions page determines each employee's access level within a site. By default, a site will start with Employee, Manager, and Admin roles but additional roles can be added or removed. Using nearly 100 different permissions, an organization can customize the access level of each role. Each employee profile is then assigned to one specific role which dicates what data they can access or upload.

Examples of permissions include:

  • Submit Reports
  • View Reports
  • Create or Edit Forms
  • Complete Training
  • Mark Training Complete
  • View Equipment
  • Create or Edit Equipment
  • View Resources (e.g. PDFs, SpreadSheets, etc)
  • Create or Edit Resources
  • Import a Dataload
  • Access the API

Any changes to the Roles and Permissions grid are immediately reflected within the site authorization for both web browsers and the native iOS/Android apps.

Secure Credit Card Processing

iScout uses Stripe for secure credit card transactions and does not receive or store credit card information directly. Stripe accepts all major credit cards including MasterCard, American Express, Discover, and more. Stripe is certified as a Level 1 PCI Service Provider.

For more information on Stripe security, visit https://stripe.com/docs/security/stripe.

Subscription Agreement

To view the iScout Subscription Agreement, please click the following image or visit https://go.iscout.com/subscription-agreement-general.

software subscription agreement

The online signup subscription agreement is available here.

Support

iScout offers free customer support to all subscribers and subscriber employees. Application questions and other general requests are addressed promptly during standard business hours (US Central Time). Any urgent issues such as outages are addressed immediately, regardless of the time of day or day of week. Support is available in a variety of formats including:

  • Knowledge Base - nearly 100 videos and guides that walk through different aspects of the iScout application including Getting Started for New Employees, Building Your First Form, Analyzing Responses, Setting up Training, and more.
  • 1 (833) 497-2688 - call the iScout support line with questions on sales, billing, or technical support.
  • [email protected] - email our support team and you will automatically receive a support ticket. Please be as specific as possible and include screenshots, links, and any other pertinent information.
  • Online Contact Form - fill out the online contact form which will help us know which account you are linked to. Please be as specific as possible with your request.

Supported Browsers

iScout strongly recommends the free Google Chrome web browser. It is a faster, more stable, more secure browser and is available on all operating systems. If Chrome is not an option, any browser apart from Internet Explorer would be recommended.

iScout officially supports the latest two major releases of each major web browser.

Terms of Service

To view the iScout Terms of Service, please click the following image or visit https://www.iscout.com/terms-of-service.

terms of service

Whitelisting

If your organization filters web or mobile traffic, please whitelist *.iscout.com.

For email notifications, please whitelist *@iscout.com.

Learn more at https://iscout.com/it.





Please direct any additional questions to the iScout Support Team.





iScout in 60 Seconds

Watch this quick overview of the iScout system.

10 Minute Walk-through

Watch this walk-through of the iScout system.