Procurement package.
ScrambleID is an enterprise authentication platform. Vendor category: passwordless multi-factor authentication. It overlays your existing identity provider (Okta, Microsoft Entra ID, Ping Identity, Auth0); it does not replace it.
Documentation for vendor risk assessment, legal review, privacy review, and finance onboarding. Single intake form. Package delivered as one download. Response to follow-up inquiries: one business day.
The platform replaces static credentials (passwords, API keys, OTP shared secrets) with per-event cryptographic verification across voice, web, agent, people-to-people, and frontline channels. Common deployments: workforce authentication, customer authentication, AI agent authentication, and contact center caller verification.
Package contents.
33 documents organized by review phase. Delivered as a single download following intake form submission. Items also published openly on the canonical site are listed in the Public References section and accessible without intake.
| Document | Description | Format | Updated |
|---|---|---|---|
| SOC 2 Type II Report | Full annual audit covering Security, Availability, and Confidentiality. Rolling 12-month observation window; current report available in the package. | 2026-01-15 | |
| Penetration Test Executive Summary | Continuous third-party penetration testing program; current executive summary. | Ongoing | |
| Software Bill of Materials | Production SBOM. Regenerated monthly. Includes direct and transitive dependencies. | JSON | 2026-04-30 |
| Security Architecture Overview | Cryptographic primitives, key management, threat model, deployment topology, integration patterns. | 2026-03-08 | |
| Cloud Shared Responsibility Matrix | Customer, ScrambleID, and cloud-provider responsibility allocation by control domain. | 2026-03-08 | |
| Vulnerability Management Program | Severity-tiered patching SLAs, scanning cadence, third-party CVE response process. | 2026-02-20 | |
| Secure SDLC Description | Code review requirements, automated security scanning, dependency review, deployment controls. | 2026-02-20 | |
| Incident Response Plan Summary | Detection, escalation, containment, customer notification (24-hour SLA), post-incident review. | 2026-02-20 | |
| Business Continuity and DR Summary | RTO and RPO targets, geographic redundancy, recovery testing cadence and outcomes. | 2026-02-20 | |
| Logging and Monitoring Architecture | Audit log retention, SIEM integration options, customer log access via API and SFTP. | 2026-02-20 | |
| Personnel Security Policy | Background checks, security training, role-based access provisioning, separation procedures. | 2026-02-20 |
| Document | Description | Format | Updated |
|---|---|---|---|
| Master Services Agreement Template | Redline-ready DOCX. Standard enterprise terms, mutual indemnification, 12-month default term. | DOCX | 2026-03-15 |
| Data Processing Addendum | GDPR Article 28 processor terms. EU SCC and UK IDTA addenda included. | DOCX | 2026-03-15 |
| Standard Contractual Clauses Annex | EU Commission 2021/914 SCCs with Schrems II supplementary measures. | DOCX | 2026-03-15 |
| UK International Data Transfer Annex | ICO IDTA for UK-to-US transfers, addendum to SCCs. | DOCX | 2026-03-15 |
| Mutual Non-Disclosure Agreement | ScrambleID standard mNDA. Two-year confidentiality term. | DOCX | 2026-03-15 |
| Order Form Template | Standard order form with service tier, term length, billing terms, and add-on fields. | 2026-03-15 | |
| Service Level Agreement Terms | 99.95% monthly uptime commitment. Tiered service credit structure. Maintenance windows. | 2026-03-15 | |
| Insurance Certificate of Liability | Carriers, lines, and limits for cyber, technology E&O, general liability, employer's liability, and umbrella. | 2026-04-01 | |
| Acceptable Use Policy Reference | Current Acceptable Use Policy as referenced in the MSA. (Also available publicly.) | 2026-03-15 |
| Document | Description | Format | Updated |
|---|---|---|---|
| GDPR Readiness Statement | Article 28 compliance, lawful basis, data subject rights process, DPO contact. | 2026-03-15 | |
| US State Privacy Compliance Statement | CCPA, CPRA, CPA, VCDPA, CTDPA, UCPA, TDPSA alignment matrix. | 2026-03-15 | |
| Subprocessors List Snapshot | Current subprocessors with role, region, and data accessed. (Also available publicly and version-controlled.) | 2026-04-30 | |
| Data Retention Policy | Default and customer-configurable retention windows by data category. | 2026-03-15 | |
| Data Subject Rights Process | Access, correction, deletion, portability process. 30-day fulfillment SLA. | 2026-03-15 | |
| Cross-Border Transfer Mechanisms | SCC use, Schrems II Transfer Impact Assessment template, supplementary measures documentation. | 2026-03-15 | |
| Records of Processing Activities (RoPA) | GDPR Article 30 records covering ScrambleID's processing on behalf of customers. | 2026-03-15 |
| Document | Description | Format | Updated |
|---|---|---|---|
| IRS Form W-9 | Current Form W-9 with EIN and Delaware tax classification. | 2026-01-01 | |
| IRS Form W-8BEN (on request) | Foreign tax certification, provided per customer entity location. | On request | |
| Banking and ACH Details | Routing, account, and remittance information for AP setup. Delivered via verified channel. | On request | |
| Payment Terms Summary | Net 30 default. Net 60 Enterprise. Annual and multi-year prepay options with discount schedule. | 2026-03-15 | |
| Corporate Entity Profile | Delaware C-corp registration, federal EIN, D-U-N-S number, state tax registrations. | 2026-04-01 | |
| Customer References | Named customer references with reviewer permission, provided per industry segment. | On request |
Materials available publicly.
Materials published openly on the canonical ScrambleID site. Accessible without intake form submission.
Response service levels by request type.
Each request category routes to a named contact alias with a stated response SLA.
Common procurement questions.
Questions enterprise procurement reviewers commonly ask, with the supporting documents in the package referenced where applicable.
How is customer data encrypted?
AES-256 at rest. TLS 1.2 minimum, TLS 1.3 preferred in transit. AES-GCM-256 for authenticated encryption of session material and cryptographic state. Customer-managed encryption keys (BYOK) via AWS KMS available on the Enterprise tier.
Who are your subprocessors, and how are changes communicated?
Subprocessors are listed in the Subprocessors List Snapshot document included in the procurement package, with role, region, and data accessed for each. Customers receive 30 days advance notice of new subprocessors via the DPA-designated channel, with the right to object.
What is your breach notification commitment?
24 hours from confirmed incident, in writing to the customer's designated security contact. The 24-hour commitment is written into the standard DPA. Notification includes scope, affected data categories, containment status, and forensic timeline.
What identity providers does ScrambleID integrate with?
Okta, Microsoft Entra ID, Ping Identity, Auth0, OneLogin, Google Workspace, and ADFS. Standard SAML 2.0, OIDC, and OAuth 2.0 federation. SCIM 2.0 for user lifecycle. Custom IdP integrations available on the Enterprise tier.
What audits and certifications does ScrambleID currently hold?
SOC 2 Type II current. NIST SP 800-63-4 AAL3 alignment. Third-party penetration test executive summary and supporting attestation documents included in the procurement package per the package contents above. For specific certification requirements not listed, contact security@scrambleid.com.
Is ScrambleID in scope for HIPAA, and do you sign a BAA?
ScrambleID is not in HIPAA scope and does not act as a Business Associate. The platform does not process protected health information (PHI). Authentication events processed by ScrambleID contain only identity verification material (cryptographic proof of authentication), with no associated health information.
Healthcare organizations using ScrambleID to authenticate users or workforce members can deploy the platform without bringing it into HIPAA scope, because no PHI flows through ScrambleID. For procurement form purposes, ScrambleID can be marked "not applicable" or "out of scope" for HIPAA. No BAA is required.
Is ScrambleID in scope for PCI DSS?
ScrambleID is not in PCI DSS scope. The platform does not process, store, or transmit cardholder data (CHD) or sensitive authentication data (SAD) as defined by the PCI Security Standards Council. Authentication tokens issued by ScrambleID are not in PCI scope.
Customers processing card payments may use ScrambleID to authenticate access to systems where cardholder data resides; cardholder data itself does not flow through ScrambleID. For procurement form purposes, ScrambleID can be marked "not applicable" for PCI DSS.
Is ScrambleID in scope for GLBA?
ScrambleID is not a financial institution under the Gramm-Leach-Bliley Act and does not collect or maintain consumer financial information or nonpublic personal information (NPI) as GLBA defines those terms.
Financial-services customers using ScrambleID for workforce or customer authentication retain their own GLBA obligations; the ScrambleID platform itself does not bring GLBA scope to the vendor relationship. For procurement form purposes, ScrambleID can be marked "not applicable" for GLBA. We support customers' Safeguards Rule documentation through the standard DPA terms and the artifacts in the procurement package.
Is ScrambleID in scope for FedRAMP, FERPA, or SOX?
FedRAMP: ScrambleID is commercial software and does not currently hold FedRAMP authorization. Federal agencies should contact us directly to discuss roadmap timing.
FERPA: Not applicable. ScrambleID does not process student education records and is not a "school official" under FERPA. Educational institutions using ScrambleID for authentication do not transmit education records through the platform.
SOX: Not directly applicable to ScrambleID. For SOX-relevant procurement reviews (controls over financial reporting systems), the SOC 2 Type II attestation is the standard third-party evidence of operational controls for a vendor in this role. The full report is included in the package.
What is your business continuity and disaster recovery posture?
Recovery time objective (RTO) and recovery point objective (RPO) targets stated in the BCP/DR Summary. Geographic redundancy across multiple AWS regions. Recovery testing performed quarterly with documented outcomes. Full BCP/DR Summary included in the procurement package.
What are your standard contract terms?
12-month default MSA term with auto-renewal and 60-day non-renewal notice. Net 30 payment terms; Net 60 available for Enterprise. Multi-year prepay available with discount. Termination for material breach with 30-day cure period. Standard MSA, DPA, and SLA templates included in the procurement package.
What is your uptime SLA?
99.95% monthly uptime commitment with tiered service credit structure for missed SLAs. Excludes scheduled maintenance with 7-day advance notice. Live status, current incidents, and historical uptime at status.scrambleid.com.
How are data export and data subject rights handled?
Self-service JSON export through the admin console. Full account export with audit logs and historical events available by request to privacy@scrambleid.com, delivered within 7 business days in JSON or CSV.
Data subject rights requests (access, correction, deletion, portability) processed within 30 calendar days with certificate of deletion provided. Backup retention is 35 days; data is cryptographically unrecoverable thereafter.
Will ScrambleID complete custom security questionnaires?
Yes. Custom security questionnaires are completed within 3 business days. Submit to security@scrambleid.com or include in the procurement package request.
Are customer references available?
Yes. Named customer references with reviewer permission, matched to industry segment, available on request. References are provided after a mutual NDA is in place. Contact procurement@scrambleid.com.
Who is the primary contact for procurement at ScrambleID?
procurement@scrambleid.com with same-business-day response on weekdays, 9 AM to 6 PM Eastern. For technical questions during procurement, schedule a 30-minute call at calendly.com/scrambleid/30-minute-meet.
For questions not listed, contact procurement@scrambleid.com. Response SLA: one business day.
You can't attest to what an AI did if its identity was only asserted.
ScrambleID makes every agent action provable, not asserted, so it clears your review. Primary contacts by request type, with response service levels, below.