Security
How SCOPERR protects the website and enquiries.
This page explains the practical security measures SCOPERR uses for its public website, contact form, and business enquiry workflow.
Security posture
SCOPERR treats website security as a business requirement, not an optional technical layer. Our approach is to collect only what we need, protect the contact form from abuse, keep operational access limited, and avoid claims of compliance certifications we do not currently hold.
1. Scope of this page
SCOPERR is operated by SCOPERR LLC, a Wyoming, United States limited liability company.
This Security page covers the public SCOPERR website, contact form, and enquiry-handling workflow. Client projects, private codebases, production systems, infrastructure access, and managed environments are governed by separate project agreements and security requirements.
2. Core security principles
We aim to collect only the information needed to respond to an enquiry and protect the website.
Public forms include validation, origin checks, CSRF protection, and bot protection.
Production secrets, email credentials, and infrastructure access should be restricted to authorized operators only.
We do not claim SOC 2, ISO 27001, HIPAA, PCI, or similar certification unless formally achieved.
3. Website and transport security
The SCOPERR website is designed to be served over HTTPS. HTTPS helps protect information in transit between a visitor’s browser and the website.
We aim to use secure production configuration, restricted environment variables, and reputable hosting infrastructure for public website delivery.
4. Contact form protections
The contact form includes multiple controls to reduce spam, automated abuse, and unsafe submissions.
- CSRF protection: the form uses a contact-specific CSRF token and validates it on submission.
- Origin validation: requests are checked against expected website origins.
- Bot protection: Cloudflare Turnstile helps verify that submissions are likely to come from real users.
- Rate limiting: IP-derived and email-derived limits reduce repeated abuse.
- Honeypot field: hidden fields help detect automated form filling.
- Validation: name, email, project fields, message length, content size, and link counts are validated server-side.
- Duplicate detection: short-lived duplicate checks reduce repeated submissions.
5. Data handling
Contact enquiries are used for business communication and project evaluation. We avoid placing unnecessary sensitive data in the public contact flow. The contact form should not be used to send passwords, production credentials, private keys, regulated sensitive data, or confidential third-party material.
Security metadata may be used to detect abuse and protect the website. Where practical, we use derived or limited identifiers for abuse prevention instead of exposing raw security data in routine business emails.
6. Infrastructure and third-party providers
SCOPERR may rely on reputable third-party infrastructure and service providers for hosting, email delivery, anti-bot protection, and short-lived rate limiting. These providers may process limited data needed to deliver their services.
Used to serve the website, API routes, static assets, and deployment infrastructure.
Used to receive website enquiries and reply to potential clients.
Used to protect the contact form against automated abuse and bot submissions.
Used or planned for short-lived rate limiting and duplicate-submission controls.
7. Access control
Production access should be limited to authorized operators who need it for business or technical reasons. Access to hosting dashboards, email accounts, environment variables, SMTP credentials, and security tokens should use strong authentication and should not be shared casually.
Secrets should be stored in environment variables or secure provider settings, not committed to source control.
8. Email security
Website enquiries are delivered through email. Email is useful for business communication, but it is not the right channel for passwords, production secrets, private keys, or highly sensitive materials.
SCOPERR may use sender authentication records such as SPF, DKIM, and DMARC where supported by the email provider and DNS setup. These controls help reduce spoofing risk and improve email reliability.
9. Vulnerability handling
If we identify a security issue, we aim to triage it, limit exposure, apply a fix, review impact, and communicate when appropriate. The exact response depends on severity, affected systems, user impact, legal obligations, and available evidence.
10. Responsible disclosure
If you believe you found a vulnerability on the SCOPERR website, email legal@scoperr.com with a clear description, steps to reproduce, affected URL, potential impact, and any relevant screenshots or logs.
Do not exploit, disrupt, access, modify, delete, or exfiltrate data. Do not perform denial-of-service testing, spam testing, social engineering, physical attacks, or attacks against third-party services.
11. No certification claim
Unless explicitly stated in a signed agreement or published certification notice, SCOPERR does not claim to be SOC 2, ISO 27001, HIPAA, PCI DSS, or otherwise independently certified. Security commitments for client projects should be documented in the relevant project agreement.
Report a security concern
Email legal@scoperr.com with the subject line Security Report for SCOPERR.