ScaledOS
How it works The nine domains About Thinking Contact
Get free access
Privacy policy Cookie policy Terms of service Security & trust
Legal

Security & Trust

Last updated: June 2026 · Scaled Consulting Limited · Company no. 13828419

How ScaledOS protects your data - infrastructure, encryption, AI data handling, access controls and our breach response commitments.

On this page
InfrastructureData securityAI and dataAccess controlsData retentionBreach responseYour roleReport a concern
Plain-English summary: ScaledOS is built on Google Cloud with UK/EEA data residency. Your financial data is encrypted in transit and at rest. AI features run on Google's paid tier - your data is never used to train any model. We take security seriously and will notify you within 72 hours of any breach that affects your data.

Infrastructure

ComponentDetail
Hosting providerGoogle Cloud Platform (GCP)
Data residencyUnited Kingdom and European Economic Area (EEA)
FrameworkNext.js 14, Firebase, hosted on GCP infrastructure
DatabaseFirebase / Firestore with encryption at rest
AuthenticationSecure login with encrypted session management

Data security

Encryption

  • In transit: All data transmitted between your browser and ScaledOS is encrypted using TLS 1.2 or higher (HTTPS). We enforce HTTPS on all endpoints and do not permit unencrypted connections.
  • At rest: All data stored in our database is encrypted at rest using AES-256, managed by Google Cloud.

Access

  • Only authorised Scaled personnel and our development partner (Polyphrōn) have access to production systems, on a strict need-to-know basis.
  • Access to production data requires authentication and is logged.
  • No third parties have access to your individual data except as described in our Privacy Policy.

Development practices

  • The platform is built and maintained under a formal Statement of Work with documented security requirements.
  • We do not use production data in development or testing environments.
  • Security vulnerabilities are triaged and addressed as a priority - critical issues within 2 to 5 business days.

AI and your data

ScaledOS uses AI in one optional feature: automated extraction of figures from an uploaded P&L document.

QuestionAnswer
Which AI service is used?Google Gemini API - paid tier only
Does Google train on our data?No. The paid Gemini API does not use submitted data to train models. This is confirmed by Google's enterprise terms.
What is sent to the AI?Only the contents of your uploaded P&L document
Is your name, email or account data sent?Never. Only the document is transmitted, without any identifying metadata
Can I avoid AI entirely?Yes. Manual entry is always available and sends nothing to any AI service
Does the Buyer's Verdict use my financials?No. It receives only your EV score and domain sub-scores - never your raw figures or identity

We do not use any free AI tiers, consumer AI products or AI services that train on submitted data.

Access controls

  • Your account is protected by password authentication. We recommend using a strong, unique password.
  • We do not store your password in plain text - passwords are hashed using industry-standard algorithms.
  • Session tokens expire automatically. You are logged out after a period of inactivity.
  • You can close your account and request data deletion at any time - see our Privacy Policy.

Data retention and deletion

We retain your data for as long as your account is active. Full retention schedules are in our Privacy Policy. Key points:

  • Raw P&L files you upload are deleted within 30 days of upload
  • Diagnostic submissions and scores are retained so you can track your EV trajectory over time
  • On account deletion, all identifiable data is removed within 30 days
  • Anonymised, aggregated benchmark data is retained indefinitely and cannot be traced back to you

Breach response

In the event of a personal data breach that is likely to affect your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware, where required by UK GDPR
  • Notify affected users without undue delay, with details of what happened, what data was affected, and the steps we have taken
  • Maintain a breach log and carry out a root cause analysis

Our development partner Polyphrōn is contractually required to notify us of any breach within 24 hours of discovery during the development period.

Your role in security

Security is a shared responsibility. To keep your account secure:

  • Use a strong, unique password for your ScaledOS account
  • Do not share your login credentials with anyone
  • Log out when using shared devices
  • Contact us immediately if you suspect your account has been compromised

Report a security concern

If you discover a security vulnerability or have a concern about how we handle data, please contact us promptly. We take all reports seriously and will acknowledge receipt within 2 business days.

Email: privacy@scaled.co.uk
Subject line: Security concern - ScaledOS

Please do not publicly disclose any vulnerability until we have had a reasonable opportunity to investigate and address it.

Scaled Consulting Limited · Company no. 13828419
Old Warden, St. Anns Fort, King's Lynn, England, PE30 1QS

Related: Privacy policyCookie policyTerms of service
ScaledOS

The enterprise value operating system for B2B founders. Built by Scaled.

Product
How it worksThe nine domainsGet free access
Company
Scaled ConsultingContact
Legal
Privacy policyCookie policyTerms of serviceSecurity
© 2026 Scaled Consulting Limited. All rights reserved. Company no. 13828419 · King's Lynn, Norfolk · scaled.co.uk