AICPA SOC for Service Organizations

Scowtt Trust Hub · /trust

Trust built for privacy-first growth

Scowtt helps enterprise teams activate first-party CRM engagement and GA4 web analytics for predictive growth while keeping customer data purpose-limited, tenant-separated, and customer-controlled.

"Your customer data powers your growth — not anyone else's."

Scowtt uses customer-approved data to generate customer-specific predictions, conversion values, insights, and workflow outputs. Customer data is not sold, pooled, co-mingled, or used to train models for other organizations.

SOC 2 Type II PII not required Annual pen testing Dedicated GCP project per client Materials available under NDA

Trust Snapshot

Security and compliance at a glance

SOC 2 Type II

Report available under NDA

PII not required

Model runs on behavioral and outcome signals

Annual pen testing

Third-party external security assessment

Tenant isolation

Dedicated GCP project per client

The Data Boundary

How customer data flows through Scowtt

Customer-approved data enters an isolated Scowtt environment and customer-approved outputs leave. Customer data is not sold, pooled, co-mingled, or used for cross-customer learning.

Customer-approved sources
  • CRM engagement data
  • Revenue outcomes
  • GA4 web analytics
  • Campaign signals
Customer-specific trust boundary
  • Dedicated Scowtt environment
  • Isolated GCP project per client
  • Customer-specific modeling
  • Role-based access controls
  • No cross-customer learning
Customer-approved outputs
  • Predictive conversion values
  • CRM writebacks
  • Sales workflow outputs
  • Approved ad platform signals
NeverNo sellingNo shared audiencesNo cross-customer learningNo raw CRM data to ad platformsNo data co-mingling

The Scowtt Trust Model

Promise. Proof. Process.

Promise

Clear customer data commitments

  • No sale of customer data
  • No cross-customer learning
  • No shared audiences
  • Customer-controlled activation
Proof

Architecture and controls that support the promise

  • Dedicated isolated GCP project per client
  • Encryption in transit and at rest
  • Least-privilege access
  • SOC and pen test materials under NDA
Process

Repeatable enterprise review motion

  • Security packet available under NDA
  • DPA and subprocessor review
  • Questionnaire support
  • Legal and Engineering-validated claims

Data Usage

What Scowtt does — and does not do — with customer data

Scowtt uses customer-approved data only to provide Scowtt services for that customer. Customer data is not sold, pooled, co-mingled, or used to train or improve models, scores, audiences, or outputs for another organization.

Commitment

Customer-specific use

Customer Data is used to generate predictive scores, conversion values, insights, recommendations, and workflow outputs for that customer only.

Commitment

No cross-customer learning

Scowtt does not use one customer's data to train, tune, improve, or evaluate models, predictions, scores, audiences, or outputs for another customer.

Commitment

No shared audiences

Scowtt does not sell customer data, create shared audiences from customer data, or make one customer's data available to another customer.

Commitment

No data co-mingling

Each client runs in a dedicated, isolated GCP project. Cross-tenant data access is not possible through normal operations.

Commitment

Customer-controlled activation

Customers control which data sources are connected, which destinations are enabled, and where configured outputs are sent.

Commitment

No raw CRM data to ad platforms

Scowtt sends configured outputs such as click IDs, predicted values, and hashed identifiers where applicable. Raw CRM records, sales notes, and full customer records are not transmitted.

Data Handling & Activation

Designed to minimize data movement

Scowtt ingests only the data needed to deliver predictive growth. Integration is either a customer-initiated push or a read-only pull with scoped credentials. Scowtt never requests write access to client systems.

01 — What we ingest

CRM engagement and outcome data such as lead status, appointment records, sales stage, revenue outcomes, and GA4 web analytics.

02 — What we do not require

Scowtt does not require PII to run predictive models. The model runs on behavioral, engagement, and outcome signals.

03 — What ad platforms receive

A click ID, a predicted dollar value, and, where applicable, hashed identifiers for matching.

04 — What ad platforms do not receive

No raw personal data, raw CRM fields, sales notes, full customer records, or customer-specific business intelligence.

Data retention

Customer Data is retained for the contract term and deleted in full upon termination. Deletion is available on request at any time, subject to legal, security, and backup requirements.

AI & Models

Customer-specific intelligence, not shared network learning

Scowtt uses customer-approved data to generate predictions and outputs for that customer's business objectives. Customer data is not used to train, tune, or improve models for other organizations.

Customer-specific models No generalized training No cross-customer tuning Subprocessor restrictions

Customer-specific models

Predictions and outputs are generated for the customer that provided or authorized the data. Every model, score, and output is scoped to that customer's environment.

Security Controls

Enterprise-grade controls for customer data protection

Tenant isolation

Each client runs in a dedicated, isolated GCP project.

Authentication

Centralized SSO with mandatory MFA for all business-critical systems.

Production access

Production access is limited to authorized personnel with a business need.

Encryption

AES-256 at rest using AWS KMS or GCP Cloud KMS. TLS 1.2 minimum in transit, TLS 1.3 prioritized.

Access governance

Role-based, least-privilege access. Reviewed quarterly, revoked within one business day of termination.

Penetration testing

Annual third-party external penetration testing. Executive summary available under NDA.

Incident response

Target notification within 72 hours of a confirmed reportable breach, followed by post-incident review.

Subprocessors

Google Cloud Platform, AWS, and Descope for token management only. All reviewed for security and compliance.

Evidence Locker

Security materials available when your team needs them

Public

  • Data usage commitments
  • Security overview
  • Subprocessor summary
  • Trust FAQ
  • Security contact

Available under NDA

  • SOC 2 report
  • Penetration test summary
  • Data Processing Addendum
  • Subprocessor list
  • Data-flow overview
  • Security questionnaire responses
  • Architecture overview
  • Incident response overview

Internal only

  • Full control mappings
  • Sensitive infrastructure details
  • Vendor contracts
  • Incident response runbooks
  • Legal redlines and negotiation positions

Trust FAQ

Answers for security, privacy, legal, and procurement teams

Data usage

Do you train models on our data?

No. Scowtt does not use one customer's data to train, tune, improve, or evaluate models, predictions, scores, audiences, or outputs for another customer.

Is our data mixed with other customers' data?

No. Each client runs in a dedicated, isolated GCP project, and cross-tenant data access is not possible through normal operations.

Does Scowtt require PII?

No. Scowtt does not require PII to run predictive models. The model runs on behavioral, engagement, and outcome signals.

What data goes to ad platforms?

A click ID, a predicted dollar value, and, where applicable, hashed identifiers for matching. Raw CRM records, sales notes, and full customer records are not transmitted.

What happens when we terminate?

Customer Data is retained for the contract term and deleted in full upon termination. Deletion is available on request at any time, subject to legal, security, and backup requirements.

Security & enterprise review

How is production access controlled?

Production access is limited to authorized personnel with a business need, governed by role-based, least-privilege access that is reviewed quarterly.

How is data encrypted?

AES-256 at rest using AWS KMS or GCP Cloud KMS. TLS 1.2 minimum in transit, with TLS 1.3 prioritized.

Do you perform penetration testing?

Yes. Annual third-party external penetration testing is performed, and an executive summary is available under NDA.

What materials are available under NDA?

SOC 2 report, penetration test summary, Data Processing Addendum, subprocessor list, data-flow overview, security questionnaire responses, architecture overview, and incident response overview.

Can Scowtt complete our security questionnaire?

Yes. Scowtt provides security questionnaire responses and can complete standard questionnaires under NDA.

Need documentation for procurement, legal, or security review?

Scowtt can provide SOC materials, DPA, pen test summary, subprocessor details, data-flow overview, and security questionnaire responses under NDA.