Security & Privacy Overview

TL;DR: Scrollbook uses enterprise-grade security including encryption at rest and in transit, multi-tenant isolation, AWS infrastructure, and GDPR compliance.

Security Highlights:

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Infrastructure: AWS with VPC, isolated subnets
• Authentication: Discord OAuth2 + JWT tokens
• Isolation: Guild-based multi-tenancy
• Compliance: GDPR, SOC 2 Type II (in progress)

Table of Contents

• Security Architecture
• Data Encryption
• Authentication & Authorization
• Multi-Tenant Isolation
• Infrastructure Security
• API Security
• Privacy Practices
• Compliance
• Incident Response

Security Architecture

Defense in Depth

Scrollbook implements multiple layers of security:

Layer 1: Network (VPC, Security Groups, WAF)
    ↓
Layer 2: Application (Input validation, CSRF protection)
    ↓
Layer 3: Authentication (OAuth2, JWT, RBAC)
    ↓
Layer 4: Data (Encryption, Access Control)
    ↓
Layer 5: Monitoring (Logs, Alerts, Audit Trail)

Security Principles

1. Least Privilege

• Users can only access their own data
• DMs can only manage their campaigns
• Admins have minimal permissions
• API keys scoped to necessary operations

2. Defense in Depth

• Multiple security layers
• No single point of failure
• Redundant protections

3. Secure by Default

• Encryption enabled automatically
• Secure defaults for all settings
• No opt-in required for security features

4. Transparency

• Open documentation
• Clear privacy policies
• Incident disclosure

Data Encryption

Encryption at Rest

What's Encrypted:

• All database data (PostgreSQL 16)
• File storage (S3)
• Backups and snapshots
• Secrets (AWS Secrets Manager)

Encryption Details:

• Algorithm: AES-256
• Key Management: AWS KMS (Key Management Service)
• Key Rotation: Automatic annual rotation
• Compliance: FIPS 140-2 validated

What This Means: Even if someone gains physical access to servers, data is unreadable without encryption keys.

Encryption in Transit

What's Encrypted:

• All API requests (HTTPS)
• Discord bot communication
• Database connections
• Service-to-service communication

Encryption Details:

• Protocol: TLS 1.3 (minimum TLS 1.2)
• Cipher Suites: Strong ciphers only (AES-GCM)
• Certificate Authority: AWS Certificate Manager
• HSTS: Enabled (forces HTTPS)

What This Means: All data traveling over the internet is encrypted and cannot be intercepted.

Sensitive Data Handling

Secrets (encrypted with KMS):

• Discord bot tokens
• API keys
• JWT signing keys
• Anthropic API keys
• Database credentials

PII (Personally Identifiable Information):

• Discord user IDs (hashed in logs)
• Email addresses (encrypted in database)
• IP addresses (hashed, retained for 7 days)

What We Don't Store:

• Discord passwords (handled by Discord)
• Credit card details (handled by Stripe)
• Unencrypted API keys
• Session transcripts longer than 90 days

Authentication & Authorization

Discord OAuth2

How It Works:

User → Discord: Log in
Discord → User: Authorization code
User → Scrollbook: Code
Scrollbook → Discord: Exchange code for token
Discord → Scrollbook: Access token
Scrollbook → User: JWT session token

Benefits:

• No password storage (handled by Discord)
• 2FA support (if enabled on Discord)
• Secure token exchange
• Revocable access

JWT (JSON Web Tokens)

Token Structure:

Header (algorithm + type)
  + Payload (user claims)
  + Signature (HMAC-SHA256)

Token Details:

• Algorithm: HS256 (HMAC with SHA-256)
• Expiration: 30 days
• Signing Key: Rotated quarterly
• Claims: user_id, discord_id, roles, tier

Storage:

• Web App: HttpOnly cookies (not accessible to JavaScript)
• API: Bearer token in Authorization header

Security Features:

• Tokens are signed (can't be tampered with)
• Short expiration (30 days)
• Revocable (logout invalidates)
• Scoped to specific permissions

Role-Based Access Control (RBAC)

Roles:

Permission Checks:

• Every API request checks user permissions
• Every Discord command verifies role
• Database queries filter by user access
• No horizontal privilege escalation

Example:

User tries to delete character:
1. Check: Is this user's character?
2. Check: Or is user the campaign DM?
3. Check: Or is user an admin?
4. If all fail → 403 Forbidden

Multi-Tenant Isolation

Guild-Based Isolation

What It Means:

Each Discord server (guild) is a separate "tenant":

• Guild A's data is isolated from Guild B
• Users in Guild A can't see Guild B's campaigns
• Database queries filter by discord_guild_id
• No cross-guild data access

Implementation:

-- Every query includes guild filter
SELECT * FROM campaigns
WHERE discord_guild_id = 'guild_123'
  AND user_id = 'user_xyz';

-- Prevents:
SELECT * FROM campaigns
WHERE user_id = 'user_xyz';
-- ^^^ Would leak data across guilds!

Security Benefits:

• Data privacy between servers
• Prevents information leaks
• Supports multi-server usage
• Complies with Discord ToS

Current Status

In Development:

As noted in launch_plan.md:

• Current Grade: C+ (63/100) - NOT production ready
• Status: 12-14 weeks of hardening required
• Critical Gaps: Guild isolation vulnerabilities in some queries

Phase 1 Hardening (In Progress):

• Adding guild_id validation to all repository methods
• Implementing query-level security checks
• Adding integration tests for isolation
• Audit trail for data access

Expected Completion: Q1 2025

Infrastructure Security

AWS Architecture

Services Used:

CloudFront (CDN) → ALB (Load Balancer)
    ↓
ECS Fargate (Containers)
    ├── API Service (private subnet)
    ├── Bot Service (private subnet)
    └── Frontend (public subnet)
    ↓
RDS PostgreSQL (isolated subnet)
Redis (private subnet)
S3 (private buckets)

Network Security:

VPC (Virtual Private Cloud):

• Isolated network per environment
• Public, private, and isolated subnets
• NAT Gateway for outbound only

Security Groups (Firewalls):

• ALB: Allow 80/443 from internet
• ECS: Allow traffic from ALB only
• RDS: Allow traffic from ECS only
• Redis: Allow traffic from ECS only

No Direct Internet Access:

• Database not publicly accessible
• Backend services in private subnets
• All outbound via NAT Gateway

VPC Endpoints:

• S3 (no internet required)
• ECR (container registry)
• Secrets Manager
• CloudWatch Logs

DDoS Protection

AWS Shield Standard:

• Automatic DDoS protection
• Network layer (L3/L4) protection
• No additional cost

CloudFront:

• Edge caching reduces origin load
• Rate limiting at edge
• Geographic restrictions (if needed)

Application-Level:

• Rate limiting (SlowAPI framework)
• Request throttling
• Input validation

Monitoring & Logging

CloudWatch:

• Application logs (retained 30 days)
• Metrics and alarms
• Automated alerts

Logging:

• All API requests logged
• Authentication events logged
• Security events (failed auth, rate limits)
• Audit trail for data changes

Alerts:

• Failed login attempts (>10/minute)
• Rate limit exceeded
• Database errors
• Service downtime

API Security

Rate Limiting

Tiers:

Implementation:

• Token bucket algorithm
• Per-user, per-endpoint limits
• Graceful degradation (429 response)
• Retry-After header provided

Prevention:

• Abuse and scraping
• Accidental infinite loops
• Resource exhaustion

Input Validation

All inputs validated:

• Type checking (string, int, UUID)
• Length limits (max 255 chars for names)
• Format validation (email, URL, UUID)
• SQL injection prevention (parameterized queries)
• XSS prevention (output encoding)

Example:

# User input
campaign_name = request.json.get("name")

# Validation
if not isinstance(campaign_name, str):
    raise ValidationError("Name must be string")
if len(campaign_name) > 255:
    raise ValidationError("Name too long")
if contains_sql_keywords(campaign_name):
    raise ValidationError("Invalid characters")

# Safe to use
campaign.name = campaign_name

CORS (Cross-Origin Resource Sharing)

Allowed Origins:

• https://scrollbook.app
• https://*.scrollbook.app
• http://localhost:3000 (development only)

Prevented:

• Random websites can't call our API
• XSS attacks from other sites
• CSRF attacks

API Token Security

Token Format:

sk_live_abc123xyz789
sk_test_abc123xyz789

Security:

• Prefix indicates environment (live/test)
• Random 20+ characters
• Stored hashed in database (bcrypt)
• One-time display (on creation)
• Revocable (delete token)

Best Practices:

• Never commit tokens to Git
• Use environment variables
• Rotate quarterly
• Use separate tokens per environment

Privacy Practices

Data We Collect

Required (for functionality):

• Discord user ID
• Discord username
• Server/guild memberships
• Campaign and character data you create

Optional (for features):

• Email (for billing receipts)
• Payment info (via Stripe, not stored by us)

Automatically Collected:

• IP address (hashed, 7-day retention)
• Session data (30-day retention)
• AI interaction logs (90-day retention)
• Error logs (30-day retention)

Data We DON'T Collect

Never Collected:

• Discord passwords
• Private Discord messages (outside game sessions)
• Messages in channels bot isn't in
• Voice recordings
• Location data
• Device fingerprints (beyond basic User-Agent)

Data Retention

After Account Deletion:

• 30-day grace period
• Complete data removal
• Anonymization in logs

Data Sharing

We Share Data With:

Third-Party Services:

• Discord: For authentication
• Anthropic: For AI (campaign context only)
• Stripe: For payments
• AWS: For hosting
• Sentry: For error tracking (no PII)

We DON'T:

• Sell your data
• Share with advertisers
• Train AI on your campaigns
• Share across guilds
• Public data leaks

Compliance

GDPR (General Data Protection Regulation)

Rights We Support:

1. Right to Access

• Settings → Data Export
• Download all your data (JSON/PDF)

2. Right to Rectification

• Edit characters, campaigns anytime
• Contact support for corrections

3. Right to Erasure ("Right to be Forgotten")

• Settings → Delete Account
• Complete data removal within 30 days

4. Right to Data Portability

• Export data in machine-readable format (JSON)
• Import to other platforms (manual)

5. Right to Object

• Opt out of analytics
• Opt out of email notifications

Legal Basis:

• Contract: Providing services you signed up for
• Legitimate Interest: Security, fraud prevention
• Consent: Marketing emails (opt-in only)

GDPR Contact: privacy@scrollbook.app

SOC 2 Type II (In Progress)

Expected Completion: Q2 2025

Audit Scope:

• Security controls
• Availability (uptime)
• Confidentiality
• Privacy practices

PCI DSS

Not Applicable - We use Stripe for payment processing:

• Stripe is PCI Level 1 certified
• We never touch card data
• Stripe handles all sensitive payment info

Incident Response

Security Incident Process

1. Detection (0-5 minutes)

• Automated monitoring
• User reports
• Security scans

2. Assessment (5-15 minutes)

• Severity classification
• Impact scope
• Data affected

3. Containment (15-30 minutes)

• Isolate affected systems
• Disable compromised accounts
• Block malicious IPs

4. Eradication (30 minutes - hours)

• Remove threat
• Patch vulnerabilities
• Update security rules

5. Recovery (hours - days)

• Restore services
• Verify security
• Monitor for recurrence

6. Post-Incident (within 7 days)

• Root cause analysis
• Implement fixes
• Update procedures
• Notify affected users (if required)

Disclosure Policy

We Notify Users When:

• Data breach occurs
• Unauthorized access detected
• System compromise

Within:

• 72 hours (GDPR requirement)
• Via email and Discord
• Public status page update

Information Provided:

• What happened
• What data was affected
• What we're doing about it
• What you should do

Bug Bounty Program

Coming Q2 2025

Report security issues:

• security@scrollbook.app
• Responsible disclosure encouraged
• Recognition for valid reports

In Scope:

• API vulnerabilities
• Authentication bypasses
• Data leaks
• XSS, CSRF, injection flaws

Out of Scope:

• Social engineering
• Physical attacks
• Third-party services (Discord, AWS, etc.)

Best Practices for Users

Protect Your Account

1. Secure Your Discord

• Enable 2FA (two-factor authentication)
• Use strong, unique password
• Don't share Discord credentials

2. Protect API Tokens

• Never commit to Git
• Use environment variables
• Rotate regularly
• Revoke unused tokens

3. Campaign Security

• Only invite trusted players
• Use private Discord channels
• Don't share sensitive campaign info publicly

What to Do If Compromised

Suspected Discord Account Hack:

1. Reset Discord password immediately
2. Enable 2FA
3. Revoke Scrollbook authorization
4. Re-authorize with new credentials

Suspected API Token Leak:

1. Revoke token immediately (Settings → API)
2. Generate new token
3. Update all services
4. Review recent API usage

Suspected Data Breach:

1. Contact security@scrollbook.app
2. Provide details (what, when, how)
3. We'll investigate and respond within 24 hours

Security Roadmap

Current Focus (Q1 2025)

Phase 1: Hardening

• Guild isolation enforcement
• Query-level security audits
• Integration test coverage (80%)
• Penetration testing
• Security documentation

Grade Target: B+ (85/100)

Upcoming (Q2 2025)

Phase 2: Advanced Security

• SOC 2 Type II certification
• Bug bounty program
• Advanced threat detection
• Automated security scanning (CI/CD)
• Security training for team

Grade Target: A (95/100)

Future (Q3 2025)

Phase 3: Enterprise

• SSO (SAML, OIDC)
• Advanced audit logging
• Custom data residency
• Compliance certifications (ISO 27001)

Related Resources

• Privacy Policy - Full privacy policy
• GDPR Information - GDPR compliance details
• Terms of Service - Legal terms
• Data Export - Export your data
• API Security - API authentication guide

Questions?

Security Questions: security@scrollbook.app Privacy Questions: privacy@scrollbook.app General Support: Contact Us

Last Updated: 2025-12-05 Version: 1.0 Security Grade: C+ (63/100) - Hardening in progress Next Audit: 2025-03-01 Maintained by: Security Team