Security & Access Control

Scrapalot provides enterprise-grade security to protect your data and control access to your knowledge base.

Security Features

Authentication

JWT-based secure authentication

What you get:

• Secure login with encrypted passwords
• Session management with token refresh
• Automatic token expiration
• OAuth 2.0 support (Google)

Token lifecycle:

• Access token: 24 hours
• Refresh token: 30 days
• Automatic refresh before expiration
• Secure token storage

Authorization

Role-based access control

User roles:

• Admin: Full system access, user management
• User: Standard access to own content
• Guest: Read-only access (if enabled)

Workspace permissions:

• Owner: Full control, can delete and manage
• Editor: Add/edit documents and queries
• Viewer: Read-only access to content

Data Isolation

Multi-tenant security

How it works:

• Your data completely separated from other users
• Database-level isolation (Row Level Security)
• Workspace-based boundaries
• Cannot access other users' content

What's protected:

• Workspaces and collections
• Documents and content
• Chat history and queries
• Settings and preferences

Access Control

Workspace Sharing

Collaborate securely with your team

Sharing features:

• Share workspace with team members
• Control permission levels per user
• Revoke access anytime
• Audit trail of sharing activity

Permission levels:

Owner:

• Full control over workspace
• Can delete workspace
• Manage sharing and permissions
• Access all features

Editor:

• Upload and organize documents
• Create and manage collections
• Query documents
• Cannot delete workspace or change sharing

Viewer:

• View documents and collections
• Query documents
• View chat history
• Cannot modify anything

OAuth 2.0 Integration

Secure authentication with Google

Benefits:

• No password to remember
• Industry-standard security
• Revoke access from Google account
• Automatic token refresh

How it works:

1. Click "Sign in with Google"
2. Authorize Scrapalot in Google
3. Automatic account creation/login
4. Secure session established

What Scrapalot accesses:

• Email address (for account identification)
• Basic profile information
• No access to your Google Drive or other data

Data Protection

Encryption

Data in transit:

• All connections use TLS 1.2+ encryption
• HTTPS for all web traffic
• Secure WebSocket connections
• Encrypted database connections

Data at rest:

• Database encryption (via Supabase or your config)
• API keys encrypted with strong algorithms
• Passwords hashed with bcrypt (12 rounds)
• Secure credential storage

Privacy

Your data stays yours:

• No data sharing with third parties
• No selling of data
• Optional telemetry (disabled by default)
• Self-hosting for complete control

What Scrapalot stores:

• Your uploaded documents
• Chat queries and responses
• User profile information
• Usage analytics (if enabled)

What Scrapalot doesn't store:

• Plain-text passwords
• Credit card information
• Unnecessary personal data

Self-Hosting for Maximum Privacy

Complete data sovereignty:

• Host on your infrastructure
• Data never leaves your network
• Use local AI models only
• Full audit trail
• Air-gapped deployments possible

Security Best Practices

Password Security

For password-based logins:

• Minimum 12 characters recommended
• Mix of letters, numbers, symbols
• Unique password for Scrapalot
• Use password manager
• Enable OAuth if available

System protection:

• Passwords hashed with bcrypt
• Never stored in plain text
• Secure password reset flow
• Account lockout after failed attempts

API Key Management

Secure API access:

• Generate unique keys per application
• Name keys by purpose
• Rotate keys periodically
• Revoke unused keys immediately
• Never commit keys to code

Key security:

• Keys encrypted at rest
• Transmitted only over HTTPS
• Separate keys for different environments
• Read-only keys when possible

Network Security

Protect your deployment:

• Use HTTPS in production (required)
• Configure firewall rules
• Limit database access
• Use VPN for remote access
• Monitor access logs

Recommended setup:

• TLS certificate from Let's Encrypt
• Firewall allowing only necessary ports
• Database on private network
• Regular security updates

Monitoring & Auditing

Access Logging

Track who accesses what:

• Login attempts and sessions
• Document access
• Workspace changes
• Permission modifications
• API usage

Use for:

• Security auditing
• Compliance requirements
• Troubleshooting access issues
• Usage analysis

Security Events

Get notified of:

• Multiple failed login attempts
• New device logins
• Permission changes
• Unusual access patterns
• API key usage

Compliance

Data Privacy

GDPR compliance features:

• User data export (JSON format)
• Account deletion (full data removal)
• Consent management
• Data retention policies
• Privacy policy support

Your rights:

• Access your data
• Correct your data
• Delete your account
• Export your data
• Withdraw consent

Data Retention

Configurable retention:

• Active user data: Indefinite
• Deleted content: 30 days
• Chat history: Configurable
• Audit logs: 1 year (recommended)
• Backups: Per your policy

Security Incident Response

If You Suspect a Breach

Immediate steps:

1. Change your password
2. Revoke all API keys
3. Review access logs
4. Check recent activity
5. Contact administrator (if shared deployment)

For administrators:

1. Lock affected accounts
2. Review security logs
3. Identify scope of access
4. Restore from backup if needed
5. Update security measures

Prevention

Stay secure:

• Keep software updated
• Use strong, unique passwords
• Enable multi-factor authentication (if configured)
• Review permissions regularly
• Monitor access logs
• Educate team members

Security Configuration

Production Deployment

Essential security measures:

• HTTPS only (no HTTP)
• Strong JWT secret key
• Secure database credentials
• Rate limiting enabled
• CORS properly configured
• Security headers set

Environment variables:

• Never hardcode secrets
• Use environment variables
• Rotate secrets regularly
• Limit access to production configs

Database Security

Protect your data:

• Use strong database password
• Enable SSL for connections
• Restrict network access
• Regular backups
• Monitor connection logs

Row Level Security:

• Automatic data isolation
• Enforced at database level
• Cannot be bypassed
• Tested and verified

Troubleshooting

Cannot Access Workspace

Check:

• You have permission to workspace
• Workspace not deleted
• Your account is active
• Session not expired

Solutions:

• Re-login to refresh session
• Ask owner to verify permissions
• Check account status
• Contact administrator

API Key Not Working

Verify:

• Key copied correctly (no extra spaces)
• Key not expired or revoked
• Correct permissions for operation
• API endpoint accessible

Fix:

• Generate new API key
• Check key permissions
• Verify API endpoint
• Review error messages

Suspicious Activity Alert

If you see unexpected activity:

1. Change password immediately
2. Revoke all API keys
3. Review recent access logs
4. Check workspace sharing
5. Contact support if needed

Related Documentation

• Database Design - Data storage and isolation
• API Reference - Authentication endpoints
• Deployment Guide - Production security setup
• User Guide - Using security features

---

Security is built into every layer of Scrapalot. Your data is protected by industry-standard security measures and complete isolation from other users.