// TRUST# Enterprise-ready security, audited by third parties.

 Everything your security team needs to clear Scrapfly as a vendor. SOC 2 Type II, ISO 27001, SOC 3, and GDPR are live. Trusted by enterprise, government, and academic customers. The full procurement package is one click away.

 [  Visit Trust Portal ](https://trust.inc/org_695c03cda42fc2450f034183) [  Download SOC 3 ](https://cdn.scrapfly.io/0.1.241/www/public/compliance/SCRAPFLY-SOC-III-CERTIFICATE.pdf?version=0.1.241) [ Browse all certifications → ](#certifications) 

 

 // CERTIFIED     

 



 

 

 

 ---

   [// Certifications](#certifications) [// Controls](#controls) [// Legal Docs](#related-docs) [// Procurement](#trust-portal)  

 ---

 ## 30k+

enterprise, government, and academic customers

 



 

 

 

---

  // CERTIFICATIONS## Independently Audited. Download-Ready.

 Four external certifications cover how we run our platform, protect your data, and hand it off across borders. Public reports download instantly. Confidential reports arrive under NDA via the trust portal.

 

  

### ISO 27001

 CERTIFIED 2024 · VALID 2027 International standard for information security management. A systematic, risk-based approach to protecting sensitive information.

  [  Download ](https://cdn.scrapfly.io/0.1.241/www/public/compliance/SCRAPFLY-ISO-27001-CERTIFICATE.pdf?version=0.1.241 "Download") 

 

 

 

  

### SOC 2 Type II

 AUDITED 2024 · RENEWED ANNUALLY Independent audit of security, availability, and confidentiality controls over an extended period. The full report is gated for confidentiality. Request access via the trust portal.

 [  Request access ](https://trust.inc/org_695c03cda42fc2450f034183) 

 

 

 

  

### SOC 3

 PUBLIC · NO NDA REQUIRED Public summary of our SOC 2 Type II audit. Same controls, same period, distributable without confidentiality restrictions.

  [  Download ](https://cdn.scrapfly.io/0.1.241/www/public/compliance/SCRAPFLY-SOC-III-CERTIFICATE.pdf?version=0.1.241 "Download") 

 

 

 

  

### GDPR

 SCCs MODULE 2 · EEA→US EU General Data Protection Regulation. Scrapfly processes personal data lawfully with SCCs Module 2 embedded in our DPA for EEA→US transfers.

  [  Download ](https://cdn.scrapfly.io/0.1.241/www/public/compliance/SCRAPFLY-GDPR-CERTIFICATE.pdf?version=0.1.241 "Download") 

 

 

 



 DPA with SCCs is available to Enterprise customers.

 





 #### Preview

   Download   

   

 ---

  // CONTROLS## Built Like Your Infrastructure. Audited Like Your Bank.

 Encryption, access, vendor vetting, and transfer controls. Same discipline you'd expect from enterprise infrastructure, applied to every customer on every plan.

 

 ### End-to-End Encryption

Your data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Keys are managed by our cloud provider's HSM-backed KMS and rotated on a defined schedule. No plain-text customer data ever touches disk.

TLS 1.2+ in transit

AES-256 at rest

HSM-backed KMS

scheduled rotation

 

 



 

 

 ### Access Control

Role-based access with enforced multi-factor authentication for every employee touching production. Every admin action is logged, reviewed, and tied to a named identity. No shared credentials, ever.

**RBAC**least privilege

**MFA**enforced

**audit**trails

 

 



 

 ### Vendor Due Diligence

Every sub-processor is vetted for security posture and documented in our Data Processing Agreement. We disclose who touches your data, where they're located, and what they do with it. No hidden hops, no surprise third parties.

sub-processor list

SCCs Module 2

security review

disclosed in DPA

 

 



 

 

 ### International Transfers

EEA→US transfers are covered by Standard Contractual Clauses (Module 2) embedded in our DPA. Enterprise customers can download the signed instrument for their records.

 



 

 ### Breach Notification

If a personal data breach occurs we notify affected customers within 36 hours. That's half of GDPR's 72-hour window, with scope, impact, and mitigation detail included in the first message.

 



 

 ### Retention & Deletion

Service data is deleted after termination under the terms of the DPA. Financial records (invoices, payment history) and anti-fraud signals are retained longer where law requires it (accounting obligations) or where security requires it (preventing banned actors from re-registering).

 



 

 

 

 ---

  // LEGAL PACKAGE## The Paper Trail Your Legal Team Expects

 Self-serve DPA with SCCs, a privacy policy written to be readable, acceptable-use terms, and our KYC process. Everything is published. Nothing hides behind a sales call.

 

 [ ### Data Processing Agreement

The DPA between you and Scrapfly, including sub-processor disclosures and SCCs Module 2.

 ](https://scrapfly.io/data-processing-agreement) 

 [ ### Privacy Policy

How Scrapfly collects, uses, and protects the information that results from your use of our service.

 ](https://scrapfly.io/privacy-policy) 

 [ ### Terms of Service

The terms governing your use of Scrapfly products, subscriptions, acceptable use, and refunds.

 ](https://scrapfly.io/terms-of-service) 

 [ ### KYC & Safety

How we verify customers, assess use cases, and refuse service where misuse is likely.

 ](https://scrapfly.io/kyc-and-safety) 

 

 

 ---

  // PROCUREMENT## Ready for your security review?

 All compliance documentation, audit reports (under NDA), and sub-processor lists live on our [trust portal](https://trust.inc/org_695c03cda42fc2450f034183). Security questionnaires and vendor risk assessments flow through the same place. For direct legal questions, reach the team at <legal@scrapfly.io>.

 

 [  Visit Trust Portal ](https://trust.inc/org_695c03cda42fc2450f034183) [Start a free account →](https://scrapfly.io/register) 

1,000 free credits. No card.