Scale — Startup FounderOSSCALE Back to site
Trust center

How SCALE handles your sensitive fundraising data

SCALE is built for Indian founders, investors and accelerators handling commercially sensitive financial and diligence material. This page describes the controls we have in product today, the principles we work to, and what is still on the roadmap. We try to be specific rather than marketing — if something is not implemented yet, we say so.

Honest disclosure: SCALE is not currently SOC 2 certified and we do not claim it. We design the product to be SOC 2-aligned so that a future audit is straightforward.

Privacy commitments

  • Data is collected for stated purposes only — see the privacy notice.
  • Consent is granular, can be withdrawn at any time, and is versioned.
  • We do not sell personal data and never use investor activity to train external models.

Security commitments

  • Least-privilege role separation between founder, investor, admin and super-admin.
  • Audit log captures sign-in, profile changes, document access and admin actions.
  • Sensitive surfaces (data room, sharing) show a confidentiality reminder and access status.

Role-based access

  • Founder owns their workspace data and decides what is shared.
  • Investor sees only what was explicitly shared with them.
  • Admin / Super-admin see platform metadata, not founder financials, unless explicitly invited.

Data handling principles

  • Minimise — only what is needed for the stated purpose.
  • Segregate — workspace data is scoped per organisation.
  • Retain only as long as needed; deletion requests are tracked and queued.

DPDPA-aligned consent practices

Granular consent per purpose, not a single blanket toggle.

Plain-language notice with a public version history.

Data Principal rights flow: access, correction, erasure, nomination, withdrawal.

Grievance officer contact with tracked tickets and SLA.

Sensitive-document sharing shows a confidentiality reminder before access.

Operationalised, not legally certified. See privacy notice.

SOC 2-aligned security practices

Access — role-based capabilities and document-level visibility.

Authentication — MFA-ready settings surface, session timeout, password reset flow.

Audit — central log for login, profile, document, application, feedback, admin and role events.

Integrity — workflow state changes (applications, meetings, feedback, commitments) are tracked, not silently mutated.

Confidentiality — sharing screens surface who can view, when, and whether access is active.

Change management — published change log for auth, RBAC and policy updates.

Product is built to map cleanly to SOC 2 Trust Services Criteria. Formal Type I / II attestation is on the roadmap below.

Document-sharing safeguards

Who can view
Every shared document lists the explicit viewers, their organisation and role.
When shared
Each viewer entry shows the share date and last viewed timestamp.
Access status
Access can be revoked from the data room; status is reflected immediately on the trust card.
Approval state
Investors must be approved before access is granted; pending approvals are visible to the founder.
Confidentiality reminder
Investors see a non-dismissable reminder before viewing sensitive documents.
Watermark & download lock
Roadmap Per-viewer dynamic watermark and download restrictions.

Availability & reliability

Status page
Live status and incident history at platform status.
Backups
Placeholder Daily encrypted backups with 30-day retention (to be enabled with managed backend).
Export & recovery
Founders can request a workspace export from Settings.
Business continuity
Placeholder Documented RPO/RTO targets to be published with the Type I package.

Processing integrity

We treat application, meeting, feedback and commitment state as first-class. Every state transition is timestamped and surfaced — no silent status changes.

  • Application stage changes — visible to both sides, captured in audit log.
  • Document requests — tracked from raise to fulfilment.
  • Meeting status — proposed, confirmed, no-show, completed.
  • Feedback state — submitted, acknowledged, surfaced as insights.
  • Commitments — verbal, soft, term sheet, signed.

Reporting a security concern

Suspected vulnerability, unauthorised access or data exposure? Write to security@scale.cumma.in. We acknowledge within one business day.

For privacy questions or to exercise your DPDPA rights, see the Grievance and Rights pages.

Compliance roadmap

  1. NowProduct built to SOC 2-aligned controls (access, audit, integrity, confidentiality).
  2. NowDPDPA-aligned consent, rights and grievance flows live.
  3. NextPenetration test & vulnerability disclosure programme.
  4. NextSOC 2 Type I readiness assessment.
  5. LaterSOC 2 Type II observation period & attestation.
  6. LaterISO 27001 alignment for enterprise procurement.

Dates intentionally not promised. We will publish them only when scoped with an auditor.