Core
Security Practices
RateScan enforces secure defaults at the platform level. This page documents the controls currently in place and the commitments we expect from each company that operates on the platform.
Authentication requirements#
- Passwords must be at least 12 characters long.
- Owners acknowledge password best practices during onboarding. The acknowledgement is stored in the audit log.
- Invited teammates are subject to the same password rules when they accept their invitations.
- Multi-factor authentication (MFA) is rolling out. Once enabled for your workspace, owners will be prompted to enforce it company-wide.
Data handling principles#
- Uploaded rate confirmations are encrypted at rest in Google Cloud Firestore and Storage.
- Exports are watermarked and logged. Each download is tied to a user ID and timestamp.
- Companies should store exports in approved shared drives with access logging.
- RateScan never emails documents directly; we use secure in-app downloads only.
Roles & permissions#
- Owners/Admins control company settings, manage users, and complete the security checklist.
- Users can upload, review, and export documents once they acknowledge the teammate tutorial.
- Role changes and critical updates are recorded with timestamps in Firestore.
Incident response#
If you suspect unauthorized access to RateScan or exported documents, contact your company’s security email immediately. Owners can then reach out to RateScan support for audit assistance. Provide timestamps, affected load IDs, and any relevant screenshots.
Escalation — RateScan will temporarily suspend downloads for compromised users until the incident is resolved. Owners must complete the security checklist again if policy violations are confirmed.