Plain explanations of what Scout reads, where it’s stored, who can see it, and what you can do if you want it back or want it gone. Written for the agency owner, the IT lead, and the procurement person - not the marketing team.
Scout is multi-tenant by design. Every table holding client data has a workspace_id column and a Postgres row-level security policy that prevents cross-workspace reads - even if the application layer made a mistake. Two layers, not one.
Your agency’s data is invisible to every other agency on Scout. Your clients’ data is scoped per workspace, never blended.
Every integration connects via OAuth, scoped to read-only where the platform supports it. You revoke access from the platform’s own admin at any time. We never store passwords, only refresh tokens, and we rotate them according to each platform’s recommendations.
Per-platform scope breakdown is published - ask us for the current list.
A deliberate product decision, not a missing feature. Reporting and write actions are different jobs. Scout does one of them. Your campaigns, flows, and budgets are touched by humans - not by a layer of automation you can’t fully see. We don’t plan to change this.
Scout uses Anthropic’s Claude API under a commercial agreement that excludes your data from model training. Your client memory, your voice profile, your reports - none of it is used to improve Claude or any other model.
Application hosted on Vercel. Database and storage on Supabase (managed Postgres). Region selectable at workspace creation. Daily encrypted backups with 30-day retention; point-in-time recovery available on request.
Memory exports as markdown or JSON, one click, no friction. Reports export as markdown, PDF, or Word. On account closure, your data is deleted within 30 days; sooner on request. We provide written confirmation of deletion.
We maintain a documented breach response plan. In the event of an incident affecting your data, affected agencies are notified within 72 hours, with what we know, what we’re doing, and what (if anything) you should do. Public summary of the runbook available on request.
SOC 2 Type I in progress. Type II planned post-launch. Ask for the current status.
Security questions, DPA requests, anything procurement needs: security@askscout.app. We reply within one business day.