Privacy Policy

This policy explains how sceap collects, uses, and protects your information when you use the sceap enterprise platform.

1. Information We Collect

We collect information you provide directly, including:

• Account information (name, email address, username)
• Profile data (job title, department, profile picture)
• Usage data and activity logs within the platform
• Device and session information for authentication purposes
• Communications when you contact support

2. How We Use Your Information

• Provide, maintain, and improve the sceap platform
• Authenticate users via sceapID (Keycloak SSO)
• Send transactional notifications (account alerts, security notices)
• Analyze usage patterns to improve platform features
• Comply with legal obligations and enforce our terms

3. Data Storage and Security

All data is stored on servers in the United States. Data in transit is encrypted with TLS 1.2+. Data at rest is protected by disk encryption. We maintain access logs and audit trails for security monitoring.

4. Data Sharing

We do not sell your personal data. We may share data with:

• Service providers acting on our behalf (hosting, email delivery)
• Other users within your organization where required for collaboration features
• Law enforcement when required by applicable law
• Successor entities in the event of a merger or acquisition

5. Data Retention

We retain account data for the duration of your subscription plus 90 days. Logs are retained for 12 months. You may request earlier deletion by contacting privacy@sceap.co.

6. Your Rights

You have the right to access, correct, or delete your personal data. You may also request a copy of your data in a portable format. Contact privacy@sceap.co to exercise these rights. We respond within 30 days.

7. Children's Privacy

The sceap platform is intended for enterprise use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.

8. Changes to This Policy

We may update this policy periodically. Continued use after changes constitutes acceptance. Material changes will be communicated via email or in-platform notification.

9. Contact

Privacy inquiries: privacy@sceap.co

Terms of Service

By accessing or using the sceap platform, you agree to be bound by these Terms of Service and all applicable laws.

1. Acceptance of Terms

By accessing or using sceap, you agree to these Terms. If you are using sceap on behalf of an organization, you represent that you have authority to bind that organization. If you do not agree, you may not use the platform.

2. Permitted Use

sceap is an enterprise platform for internal business use. Permitted uses include:

• Managing organizational data via CRM, Teamwork, and Files modules
• Communicating via integrated Matrix messaging
• Managing DNS records, services, and infrastructure
• Developing applications using the sceap API
• Accessing and managing organizational devices via sceapMDM

3. Prohibited Use

You may not:

• Use the platform for illegal activities or to violate any laws
• Attempt unauthorized access to any system, account, or data
• Share credentials or access with unauthorized parties
• Interfere with platform availability, performance, or security
• Reverse engineer, decompile, or disassemble any platform component
• Scrape or extract data in an automated manner without authorization
• Use the platform to send unsolicited communications

4. Accounts and Security

Accounts are provisioned via sceapID (Keycloak). You are responsible for maintaining the confidentiality of your credentials and all activities under your account. Report suspected compromises to security@sceap.co immediately.

5. Intellectual Property

The sceap platform, its design, software, and documentation are the property of sceap. You retain full ownership of all data you upload, create, or store within the platform. You grant sceap a limited license to process your data solely to provide the service.

6. Service Availability

We strive for 99.9% availability but do not guarantee uninterrupted service. Scheduled maintenance may cause temporary downtime. We will provide advance notice of planned maintenance where possible. Live service status is available at health.sceap.co.

7. Limitation of Liability

To the maximum extent permitted by law, sceap is not liable for indirect, incidental, special, or consequential damages. Our total aggregate liability shall not exceed fees paid in the prior 12-month period.

8. Indemnification

You agree to indemnify and hold harmless sceap from any claims, losses, or damages arising from your breach of these Terms or misuse of the platform.

9. Termination

Either party may terminate this agreement. We may suspend or terminate accounts that violate these terms without prior notice. You may cancel by contacting admin@sceap.co. Upon termination, your data will be retained for 90 days then deleted.

10. Governing Law

These Terms are governed by the laws of the United States, without regard to conflict of law provisions. Disputes shall be resolved by binding arbitration in accordance with applicable rules.

11. Changes to Terms

We may update these Terms. Continued use after changes constitutes acceptance. Material changes will be communicated with at least 30 days notice.

12. Contact

Legal inquiries: legal@sceap.co

Acceptable Use Policy

This policy defines acceptable and prohibited use of the sceap platform and all associated services. All users must comply with this policy.

1. Scope

This policy applies to all users of the sceap platform, including employees, contractors, and third parties granted access. It covers all sceap services including the dashboard, CRM, messaging, file storage, DNS management, VPN, and email.

2. Acceptable Use

You may use the sceap platform to:

• Perform work-related tasks within your authorized role and department
• Collaborate with authorized colleagues within your organization
• Access only resources and data necessary for your role
• Develop and test applications using the sceap API within rate limits
• Access internal services via VPN when working remotely

3. Prohibited Activities

The following are strictly prohibited:

• Unauthorized access: Accessing accounts, systems, or data you are not authorized to access
• Credential sharing: Sharing passwords, API keys, or access tokens with others
• Malware and attacks: Uploading malicious code, conducting vulnerability scans without authorization, or performing denial-of-service attacks
• Data exfiltration: Extracting organizational data for unauthorized purposes
• Illegal content: Storing, transmitting, or processing any content that violates applicable laws
• Harassment: Using platform messaging or communication tools to harass, threaten, or abuse others
• Resource abuse: Consuming excessive platform resources, running crypto miners, or otherwise disrupting service for others
• Circumvention: Attempting to bypass security controls, logging, or monitoring systems

4. Personal Use

Limited personal use of sceap services (such as email) is permitted provided it does not interfere with work responsibilities, does not violate this policy, and does not expose the organization to legal or reputational risk.

5. Monitoring

You should have no expectation of privacy when using sceap platform resources. System activity may be logged and monitored in accordance with applicable law and organizational policy for security and compliance purposes.

6. Reporting Violations

Report suspected violations to security@sceap.co or use the Report a Concern form.

7. Enforcement

Violations may result in suspension or termination of platform access and may be referred to HR or law enforcement where appropriate.

8. Contact

Questions about acceptable use: legal@sceap.co

Cookie Policy

This policy describes how sceap uses cookies and similar technologies on the sceap platform and related websites.

1. What Are Cookies

Cookies are small text files stored on your device by a website. They help websites function correctly, remember your preferences, and provide security features.

2. Essential & Functional Cookies

The following cookies are required for the platform to function:

• next-auth.session-token — Authentication session token (HttpOnly, Secure). Required for dashboard login. Expires at browser close or after 30 days.
• next-auth.csrf-token — CSRF protection for authentication forms (HttpOnly, Secure). Session-scoped.
• next-auth.callback-url — Stores the return URL after login. Session-scoped.
• sceap:theme — Stores your dark/light mode preference (localStorage). Persisted until cleared.
• sceap-locale — Stores your language preference. Persisted for 1 year.
• sceap:cookie-consent — Records your cookie consent choice. Persisted for 1 year.

Keycloak (sceapID) may set its own session cookies during the authentication flow. These are managed by the identity provider and are required for SSO functionality.

3. Analytics Cookies (with consent)

With your consent, sceap uses Google Analytics 4 (Measurement ID: G-D015BDQ8D3) to understand how visitors use our websites and improve your experience. Google Analytics collects:

• Page views, session duration, and navigation paths
• Browser, operating system, and device type
• General geographic location (country/region level, not precise)
• Scroll depth, outbound link clicks, and file downloads
• Core Web Vitals (page performance metrics)
• Aggregated usage patterns and feature adoption

Google Analytics data is processed by Google LLC (United States). We have configured GA4 with ad personalization signals disabled. No individual-level data is sold. For Google's privacy practices, see policies.google.com/privacy.

Analytics cookies are only loaded after you click "Got it" on the cookie consent banner. If you decline, no analytics cookies are set.

4. What We Do Not Use

sceap does not use:

• Advertising or retargeting cookies
• Social media tracking pixels
• Behavioral profiling for advertising purposes
• Cookie-based A/B testing or personalization services

5. Cookie Control

You can control cookies through your browser settings. Blocking essential authentication cookies will prevent you from logging into the platform. To withdraw analytics consent, use the button below or clear your browser's site data for sceap.co domains.

Reset cookie consent

6. Contact

Questions about cookies: privacy@sceap.co

Data Processing Agreement

This Data Processing Agreement (DPA) describes how sceap processes personal data on behalf of its enterprise customers in compliance with applicable data protection laws including GDPR.

1. Definitions

• Controller: The organization that determines the purposes and means of processing personal data (your organization).
• Processor: sceap, which processes personal data on behalf of the Controller.
• Data Subject: An identified or identifiable individual whose personal data is processed.
• Personal Data: Any information relating to an identified or identifiable person.

2. Subject Matter and Duration

sceap processes personal data for the duration of the service agreement, or until the Controller requests deletion. Processing includes storage, retrieval, structuring, and transmission of data for the purpose of providing the sceap enterprise platform.

3. Nature and Purpose of Processing

sceap processes personal data solely to:

• Provide user authentication and authorization via sceapID
• Store and serve user-generated content within platform modules (CRM, Files, Teamwork)
• Deliver email and communication services
• Maintain platform security, audit logs, and compliance records

4. Controller Obligations

The Controller is responsible for:

• Ensuring a lawful basis for processing personal data within the platform
• Notifying sceap of applicable legal requirements in their jurisdiction
• Obtaining required consents from data subjects where necessary
• Responding to data subject requests within required timeframes

5. Processor Obligations

sceap as Processor will:

• Process personal data only on documented instructions from the Controller
• Ensure staff processing data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Delete or return all personal data upon termination of the agreement
• Notify the Controller of any personal data breaches without undue delay

6. Sub-Processors

sceap uses the following sub-processors for platform infrastructure:

• Hosting and infrastructure providers (servers located in the United States)
• Transactional email delivery services

Controllers will be notified of new sub-processors at least 14 days in advance.

7. Data Transfers

Data is processed and stored in the United States. International data transfers are conducted in accordance with applicable transfer mechanisms under GDPR, including Standard Contractual Clauses where required.

8. Data Subject Rights

sceap will assist the Controller in fulfilling data subject rights requests including access, rectification, erasure, restriction, portability, and objection within 72 hours of receipt.

9. Security

sceap implements TLS 1.2+ for data in transit, disk encryption for data at rest, role-based access control, multi-factor authentication for administrative access, and regular security audits.

10. Contact

Data protection inquiries: privacy@sceap.co

Refund Policy

This policy covers refunds and credits for sceap platform subscriptions and services.

1. Subscription Plans

sceap offers monthly and annual enterprise subscriptions. Pricing is agreed upon individually with each organization through a service agreement.

2. Refund Eligibility

• Monthly plans: Refund requests accepted within 7 days of the billing date
• Annual plans: Pro-rated refund for unused months, requested within 30 days of the annual billing date
• Service credits: Automatically issued for outages exceeding 1 continuous hour in a calendar month (credit equivalent to 1 day of service per qualifying incident)

3. Non-Refundable Items

• Setup fees and onboarding services
• Custom development or integration work
• Domain registration fees
• Subscriptions beyond the applicable refund window
• Usage fees for consumption-based services already rendered

4. How to Request a Refund

1. Email billing@sceap.co with subject line "Refund Request — [Organization Name]"
2. Include your organization name, billing period, and invoice number if available
3. Describe the reason for the refund request

We respond within 3 business days. Approved refunds are processed within 5–10 business days to the original payment method.

5. Disputed Charges

Contact billing@sceap.co before initiating a chargeback. We will work to resolve disputes quickly and fairly.

6. Contact

Billing questions: billing@sceap.co

Security Policy

sceap takes security seriously. This page describes our security practices and how to report vulnerabilities.

1. Security Practices

• All communications are encrypted with TLS 1.2 or higher
• Authentication is managed via sceapID (Keycloak) with support for MFA
• Data at rest is encrypted using industry-standard algorithms
• Access to production systems is restricted, logged, and requires VPN
• Regular security reviews and dependency updates are performed
• Wildcard TLS certificates are used for all *.sceap.co subdomains
• Role-based access control (RBAC) enforced at API and UI layers

2. Authentication and Access Control

The sceap platform uses RBAC via sceapID (Keycloak SSO). All API requests require a valid Bearer token. Tokens expire and are refreshed automatically. Session data is never stored in client-accessible storage. Administrative access requires MFA.

3. Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please:

1. Email security@sceap.co with a description of the issue
2. Include steps to reproduce, potential impact, and your contact information
3. Allow us reasonable time to investigate and remediate before public disclosure
4. Do not access or modify user data, disrupt services, or perform destructive testing

We aim to respond to security reports within 24 hours and resolve confirmed vulnerabilities within 30 days.

4. Scope

In-scope for vulnerability reports:

• *.sceap.co web applications and APIs
• sceap CLI and native applications
• Authentication and authorization systems

Out of scope: Third-party services, denial of service attacks, and social engineering.

5. Incident Response

In the event of a security incident affecting your data, we will notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR and applicable data breach notification laws.

6. Security Contact

Security issues: security@sceap.co
For urgent issues, use the Report a Concern form.

Report a Concern

Use this form to report security vulnerabilities, privacy concerns, legal violations, or abusive use of the sceap platform. All reports are reviewed by our security team.

Contact by Topic

• Security vulnerabilities: security@sceap.co
• Privacy concerns: privacy@sceap.co
• Legal issues: legal@sceap.co
• Billing disputes: billing@sceap.co
• Support requests: support@sceap.co
• General inquiries: admin@sceap.co