This page summarizes Scout Lunar's security posture, infrastructure, and compliance position for family-office IT teams and counsel. For a signed copy, pre-answered SIG Lite, or custom vendor-assessment questionnaire, write to security@scoutlunar.com.
Authentication & access
Every portal sign-in requires multi-factor authentication via a TOTP authenticator app. Service-to-service authentication uses JWT bearer tokens backed by certificate-signed private keys held in AWS Secrets Manager — no passwords are transmitted between systems. Tokens are cached for a maximum of two hours and rotated automatically.
Access to client data inside the portal is governed by a junction object that maps each advisor to the specific clients they are authorized to view. Removing an advisor revokes access immediately on the next page load; no shared link can survive that revocation.
Data protection
All traffic is encrypted in transit over TLS 1.2 or higher. Data at rest in Salesforce and Amazon DynamoDB uses provider-managed AES-256 encryption.
No third-party AI handles your client data. Every visualization in the portal — strategy compass, batting average, state heatmap, peer comparison — is computed in your dedicated Salesforce org and rendered in your browser. No client information is sent to OpenAI, Anthropic, Google, or any other inference provider.
Product analytics (Mixpanel) record only anonymous event names and hashed identifiers; the user's IP address is suppressed at the SDK and personal identifiers never leave the Salesforce boundary.
Audit & monitoring
Every privileged AWS action is logged to a CloudTrail audit trail with log-file validation enabled and seven-year retention (one year in CloudWatch, then Glacier). Real-time CloudWatch alarms notify the security inbox on:
- Access denied — more than five AccessDenied events in any five-minute window
- IAM policy — any modification to identity or access policies
- Failed login — more than three console sign-in failures in five minutes
- Secrets access — more than ten secret reads in five minutes
- Network change — any security-group or VPC modification
Platform health is published continuously at status.scoutlunar.com. Incident notifications and post-mortems are published there within twenty-four hours of resolution.
Infrastructure
Scout Lunar runs on two trusted backbones: Salesforce Production (US data residency, SOC 2 Type II, ISO 27001) and Amazon Web Services US-West (SOC 2 Type II, FedRAMP Moderate, HIPAA-eligible).
IAM policies follow least-privilege: each Lambda function has access only to the specific DynamoDB tables and Secrets Manager entries it requires, with explicit denials on destructive operations. Public endpoints are restricted by API-key authentication and rotated every ninety days.
Compliance posture
Scout Lunar inherits the underlying compliance certifications of its providers.
- SOC 2Inherited from Salesforce (Type II) and AWS (Type II).
- ISO 27001Inherited from Salesforce and AWS.
- GDPRArchitecture supports data-subject access, rectification, and erasure.
- CCPA / CPRAData export and deletion supported on request. Sale of personal information: never.
- PCI DSSNot applicable — Scout Lunar does not process card data.
Intellectual property
The structure, algorithms, and data-processing methods used in Scout Lunar's Salesforce and AWS systems are patent pending. Access to the product is granted under a mutual non-disclosure agreement.
Questions & questionnaires
For SIG Lite, CAIQ, or a custom vendor-assessment questionnaire, write to security@scoutlunar.com. Pre-answered SIG Lite is available within one business day under NDA.
Scout Lunar, Inc. · Corte Madera, CA · Patent pending · Privacy · Terms