Security

Orgscout (orgscout.io), operated by Roshco Advisory. How the platform handles the most sensitive dataset a company has. Updated June 10, 2026.

Sign-in and access

No passwords held by us. Sign-in is Google OAuth or WorkOS; Orgscout receives only your verified email address and never stores a credential.
Workspace allowlist. Only explicitly invited email addresses can sign in at all; everyone else stops at the door.
Per-engagement membership. Access is granted engagement by engagement with viewer, editor, or owner roles. No membership row, no access; checks fail closed.
Clean-team visibility scopes. A member can be restricted to one heritage organization and/or one department, with compensation masked. Scoped members are read-only and money roll-ups they see cover only their slice, flagged as such.

Single-tenant deployment. The application and its Postgres database run as a dedicated deployment, not a shared multi-tenant pool.
Engagement-keyed storage. Every workforce fact, document, and event is keyed to its engagement; queries are engagement-scoped at the SQL layer.
Private networking. The application reaches Postgres over the host's private network; the database is not exposed to the public internet by the app's data path.
Verifiable deletion. Deleting an engagement removes its rows from every table in one transaction and reports per-table counts, so the wipe is checkable rather than assumed.

Append-only decision record. Every disposition, scenario change, import, document upload, and membership change is recorded with who made it and when. Nothing is edited in place.
Reproducible numbers. All money math is integer cents under a versioned calculation, so any figure can be recomputed and matched to the cent.

Minimal context. The built-in assistant (Cal, on the Anthropic API) receives the question asked plus the engagement aggregates needed to answer it, not bulk exports.
No training on your data. Customer data is not used to train models, by us or by the API configuration we use.
Metered and logged. Every AI call is recorded with its cost against a spend cap, so AI usage is observable and bounded.

TLS everywhere. All traffic is encrypted in transit; Cloudflare fronts the public domain.
Files in object storage. Uploaded documents live in Cloudflare R2 under per-engagement, per-document keys.

Security reviews and questionnaires: josh@orgscout.io. See also the privacy policy.