Security & Compliance at Scell.io
Full transparency on our infrastructure, subprocessors, and commitments. Because trust must be earned — and proven.
Our certifications & commitments
Scell.io is built from the ground up to meet French and European regulatory requirements.
ISCA Self-certified
Integrity, Security, Conservation, Archiving — immutable SHA-256 hash chain + OpenTimestamps Bitcoin anchoring.
GDPR Compliant
Article 28 DPA available on demand. Data hosted exclusively in France (Scaleway). No EU data transfers.
eIDAS EU-SES
Simple Electronic Signature compliant with eIDAS regulation (EU) 910/2014. Implemented via OpenAPI.com.
Factur-X / UBL / CII
EN16931-compliant formats. Submission to the official PDP SUPER PDP for B2B invoicing.
S3 Object Lock 11 years
Immutable storage of tax documents on S3 (COMPLIANCE mode). Pursuant to French Tax Code art. 54.
SOC 2 Type 1
Assessment planned by an independent third-party auditor.
ISO 27001
Certification in preparation as part of our security program.
Technical protection measures
A set of technical and organizational controls (TOM) applied by default across our entire infrastructure.
Encryption
AES-256 at rest. TLS 1.3 in transit. Laravel APP_KEY for sensitive database fields.
Tenant isolation (RLS)
PostgreSQL Row-Level Security. Each tenant only accesses their own data. Cross-tenant data leakage is impossible.
Admin MFA
Mandatory multi-factor authentication (TOTP) for all administrator accounts. Secure recovery codes.
Secured API Keys
Bcrypt-hashed API keys. Scoped by level (sk_live, sk_test). Instant revocation from dashboard.
Immutable audit trail
PostgreSQL SECURITY DEFINER trigger. Append-only audit logs. All fiscal changes are traced and archived.
CI/CD security scanning
Semgrep, Trivy, Composer audit and pnpm audit on every pipeline. Blocking vulnerabilities before merge.
24/7 Monitoring
Sentry EU for error detection. Real-time alerts. Centralized structured logs.
DR & RTO/RPO
Monthly DR test. Target RTO: 4h. Target RPO: 1h. Daily encrypted backups on Scaleway S3.
External pentest
External penetration test planned for Q3 2026. Reports shared with enterprise clients on request.
Our data subprocessors
All our subprocessors are located in the European Union or France. No data transfers outside the EU.
| Subprocessor | Location | DPA |
|---|---|---|
| Scaleway | France | Available |
| Stripe | UE (Irlande) | Available |
| SUPER PDP | France | Available |
| OpenAPI.com | UE | Available |
| Mistral AI | France | Available |
| BulkGate | UE (Tchéquie) | Available |
| Sentry (EU) | UE (Allemagne) | Available |
| Resend | UE | Available |
| PostHog EU | UE (Allemagne) | Available |
Receive subprocessor updates
Get notified by email when any change occurs in our subprocessor list.
Uptime & Status
99.9% SLA target. Incidents published in real time on our public status page.
The public status page is deployed independently from the API — available even during incidents.
SLA target
99.9% / month
View status page
status.scell.io
Incidents published transparently
View incident history
Contractual documentation
All our legal and contractual documents, available online.
Report a vulnerability
Identified a security issue? We take all reports seriously.
Vulnerability reporting
security@scell.ioResponsible disclosure. We respond within 48 business hours.
Bug Bounty
Bug bounty program being set up. Coming soon.
Our compliance program
Our compliance journey progresses transparently. Here is where we stand.
ISCA Self-certified
— ActiveISCA audit trail with immutable SHA-256 hash chain and OpenTimestamps anchoring on the Bitcoin blockchain.
SOC 2 Type 1
— PlannedAudit by an independent third-party. Report shared under NDA with enterprise clients.
ISO/IEC 27001
— PlannedInformation security management system certification.
Questions about security or compliance?
Our team responds to compliance questions within 48h. For enterprise accounts, we offer dedicated calls to review our security architecture.