• Solutions
  • Partners
  • Company
  • Resources
Solutions
IT Asset Management - Optima
Facilities Management - JLL Serve
Partners
TD SYNNEX
Jones Lang LaSalle
AWS
Company
About Us
Careers
Resources
Blogs
Case Studies
Connect with us on

Solutions

  • IT Asset Management – Optima
  • Facilities Management – JLL Serve

Partners

  • TD SYNNEX
  • Jones Lang LaSalle
  • AWS

Company

  • About Us
  • Careers

Resources

  • Blogs
  • Case Studies
Connect with us on
© 2026 All rights reserved.Terms & ConditionsPrivacy PolicySecurity Practices

Security Practices

We are aware that your objective is as vital to you as it is to us and information is the foundation of all our enterprises and lives. Because of this, we put the trust of our customers at the core of everything we do, and security is our top concern. We are open and transparent about our security program, so you may feel informed and can utilize our services with confidence.

Learn more about our security policy and the part that customers can play through this document.

The information on this page applies to Sclera unless otherwise specified.

1. Approach to Security

This section talks about Sclera's security strategy. It covers the important actions and measures we put in place in a variety of security domains, including securing our cloud-based platforms and our own environments, as well as the procedures we follow to guarantee that the products we develop are as safe as possible for users and clients.

Our security philosophy

The following main pillars form the basis of our security strategy:

  • We aspire to be industry leaders in product and cloud security.
  • Fulfill all customer demands for cloud security and go above and beyond industry norms and certification requirements for security.
  • Being truthful and transparent about our procedures, metrics, and programs.

Our team

Though we know most businesses would say this, we're proud of our security team members. We think we have assembled and developed a team of some of the most talented people in the business. Our security team is in Mangalore, India. The team is continually expanding in recognition of the priority Sclera places on security. We have several smaller teams, such as:

  • Product security — oversees the security of our platform and products.
  • Security intelligence — in charge of identifying and handling security incidents.
  • Red team — is responsible for emulating adversaries and maintaining security.
  • Corporate security — oversees the maintenance of the internal security of our network and application.
  • Development and SRE — responsible for building and running tooling for the security team.
  • Awareness and training — in charge of making sure our partners and staff understand how to operate safely.

At Sclera, security is a company-wide commitment. While our dedicated security team continues to grow, every employee plays a vital role in our mission to achieve better security, and this is made clear to all our staff throughout their time with us. We strive to be industry leaders in cloud security, meeting and exceeding all customer and regulatory requirements. Our commitment to transparency and excellence is ingrained in our company culture and the goals are made clear to all our staff throughout their time here in Sclera.

2. Securing Our Internal Environment

An effective approach to security starts with getting our own house in order – specifically by keeping our own internal environments secure.

Managing access to our systems and services securely

All systems and services at Sclera have a well-defined mechanism in place for provisioning — that is, assigning or removing — user access. Our access provisioning system and our HR management system are linked by a well-established procedure that runs on an eight-hour sync. To make sure employees only have access relevant to their work roles, we employ role-based access management that is based on preset user profiles. Before gaining access to data, apps, infrastructure, or network components, management must approve each user account.

3. Security in Our Day-to-Day Operations

We aim to integrate security into every aspect of our daily operations, ensuring that it becomes a fundamental part of our processes rather than an afterthought that needs to be added later.

Tracking Our Information Assets

Our production systems are hosted on infrastructure provided by cloud service providers, meaning we do not track them at a hardware level due to the nature of the service. However, the microservices that support our products are monitored through a custom-built "Service" database, which automatically updates whenever a service is deployed. Additionally, our Workplace Technology team manages an inventory of all endpoints.

Managing changes in our environment

Our change management process differs from the traditional approach, which typically involves a hierarchical structure where changes must be presented to a board for approval or denial. Instead, we have adopted an "open source" style approach called "Peer Review."

In this model, any change — whether it's related to code or infrastructure — undergoes a review by one or more peers who assess the potential issues the change could cause. The number of reviewers increases with the importance of the change, or the criticality of the systems affected. This method relies on our engineers to identify and flag potential issues before the change is implemented, providing a more flexible and responsive way to manage changes in our environment.

Managing configurations in our systems

We have a select group of engineers and architects authorized to install software in our production environment. Generally, software installation is restricted. Instead, we use configuration management tools to handle configurations and changes to servers. Any direct changes made to these systems are designed to be overwritten by the approved configurations deployed through these tools, ensuring consistency. Additionally, our Peer Review process requires multiple reviewers to approve any configuration changes made via these tools. To further enhance security, all builds are cryptographically signed, and only these signed builds are permitted to run in our production environment.

Business continuity and disaster recovery management

We place a high priority on the resiliency of our products, especially since we rely on these same products ourselves. We understand that disruptions are inevitable, so we are committed to implementing processes that prepare for and manage disruptions with minimal impact on our customers. Our business continuity (BC) and disaster recovery (DR) programs are designed to encompass the various activities required to achieve these goals.

We continuously monitor a wide range of metrics to detect potential issues early. Based on these metrics, alerts are set up to notify site reliability engineers (SREs) or the relevant product engineering teams when certain thresholds are exceeded, enabling quick action through our incident response process. SREs are also cruuch in identifying gaps in the disaster recovery (DR) program and collaborating with our risk and compliance team to address those gaps. Additionally, each team has a designated DR champion who oversees and helps manage disaster recovery efforts for their respective team.

Backups

At Sclera, we have a comprehensive backup program that covers all our internal systems, with backup measures designed to meet specific system recovery requirements. For our Sclera Cloud offerings, including customer and application data, we have extensive backup protocols in place as well. However, these backups are not intended to reverse customer-initiated destructive changes, such as overwritten fields using scripts or deleted issues, projects, or sites. To prevent data loss, we recommend regularly making your own backups.

Physical security

Our physical security controls are guided by our physical and environmental security policy, which ensures that strong security measures are implemented across all our environments, both on-premises and in the cloud. This policy encompasses secure working areas, the safeguarding of IT equipment regardless of location, restricting access to our buildings and offices to authorized personnel, and monitoring physical entry and exit points. Our physical security practices include having reception staff present during work hours, requiring visitors to register, using badge access for all non-public areas, and collaborating with office building management for after-hours access and video surveillance at entry and exit points, including main entrances and loading areas.

Additionally, our partner data centers are at least SOC-2 compliant, which covers various security controls, including physical and environmental protection. Access to these data centers is restricted to authorized personnel and verified through biometric identity checks. Physical security measures at these facilities include on-site security guards, closed-circuit video monitoring, man traps, and other intrusion prevention measures.

4. Keeping Data Secure

We have several measures to ensure we keep customer data secure and available and that customers fully retain control over it if possible.

Encryption of data

To prevent unwanted exposure or alteration, all client data in Sclera cloud solutions is encrypted while it is being transferred over public networks using TLS 1.2+ with Perfect Forward Secrecy (PFS). When allowed by the browser, our TLS implementation mandates the usage of strong ciphers and key lengths.

Sharing the responsibility for managing customer data

The security, dependability, and efficiency of the platform we offer, the systems it operates on, and the environments in which those systems are housed are all under Sclera's control. However, there are four specific areas where security is a shared responsibility between Sclera and our customers:

  • Policy and compliance — ensuring that the system meets customer business needs and is operated in accordance with industry, regulatory and legislative compliance obligations.
  • Users — the creation and management of user accounts.
  • Information— the content customers store within Sclera's cloud.
  • Marketplace apps — third party services which integrate with Sclera products.

While Sclera takes all necessary steps to protect and secure customer data, the security measures customers choose to implement when setting up our products also play a crucial role in overall security. Customers should be mindful of several important considerations when using our products, including:

  • Domain verification and central management of user accounts — Admins from our client companies can validate one or more domains to demonstrate their ownership through domain verification and central user account management. An administrator can apply authentication policies (such as password requirements and SAML) and centrally manage all their employees' Sclera accounts by verifying domains. We strongly advise all of our clients to take this crucial action to help secure access to their accounts and the data accessible through them.
  • Access permissions — Although our products are by their very nature made to facilitate cooperation, customers should nonetheless take care when granting users inside their organizations access to data. They may occasionally allow the public to see the data as well. Sclera has no control over this and cannot in these cases prevent such data being copied or further distributed.

Controlling access to customer data

We have put strict controls on customer data and handle it all with the same level of sensitivity. During the onboarding process, our internal staff members and contractors get awareness training on the significance of and best practices for safeguarding customer data.

Customer data stored in our applications is only accessible by authorized personnel within Sclera. Only SSH connections from Sclera and internal data center locations are accepted by the servers, and authentication is accomplished using unique passphrase-protected public keys. Unless requested and approved, access is limited to privileged groups only, and two-factor authentication is required for additional authentication.

Data retention

We may retain your information for as long as you continue to use our product, have an account with us, or as necessary to fulfil the purposes outlined in this Policy. You can ask to close your account by contacting us, and we will either delete your information, or move it to "inactive" status where it will no longer be processed.

We may, however, retain personal information for an additional period as is permitted or required under applicable laws, for legal, tax, or regulatory reasons, or for any other legitimate and lawful business purpose.

Customer data deletion request

Customers may request the deletion of their data by submitting a written request to Sclera via email at privacy@sclera.com. The request should include sufficient identification and a clear reason for deletion. Upon receipt of the request, Sclera will verify the customer's identity and confirm the deletion request within 5 business days.

Sclera will then proceed with the deletion of the customer's data within 30 days of confirmation, unless retention is required by law, regulation, or contract. A confirmation of the data deletion will be provided to the customer once the process is complete.

5. Securing Our People

We are committed to ensuring that all our staff understand how to perform their work securely and feel empowered to act on that knowledge. At Sclera, fostering a security mindset is a core aspect of our culture, which helps strengthen our overall resilience against potential cyberattacks.

Security awareness training

To keep security as our top concern, we make sure that every employee takes part in security awareness training both during the onboarding process and on a frequent basis afterward. We also provide security awareness training to our contractors and partners, realizing that the threats they face are frequently the same as those that our team faces. A variety of subjects are covered in our training program, such as modern threats and frauds, safe working procedures, dangerous habits that might result in security flaws, and legal and regulatory requirements.

Beyond general information security training, we offer specialized training for our developers on secure coding practices. Development teams are further supported by having a security engineer embedded within the team to assist with security-related operational tasks.

To ensure accessibility, we maintain open lines of communication between our employees and the security team through instant messaging channels, blog posts, FAQs, and more, making the security team readily available to all Sclera staff.

Protection against threat

To guarantee that vulnerabilities are found and fixed as soon as possible, we have an internal red team whose job it is to mimic attackers trying to find and exploit weaknesses in our environments, systems, and procedures.

Incident response

We have established comprehensive and centralized logging and monitoring for our products and infrastructure to swiftly detect potential incidents. This is supported by a team of highly qualified on-call incident managers with extensive experience in coordinating effective responses. Additionally, we can call upon a range of external experts to help investigate and respond to incidents as effectively as possible.

Security detections program

To enhance our incident management in response to the increasingly complex threat landscape, Sclera has launched a "security detections program." This program involves proactive searches scheduled on Sclera's Security Incident Platform to identify malicious activities targeting Sclera and its customers. The goal is not only to address current threats effectively but also to anticipate and prepare for future threats. Additionally, our security intelligence team has developed a tool to standardize and ensure the consistency and quality of our detections, which we believe is an industry first.

Red team program

The goal of the Sclera Red Team is to constantly improve our defenses against highly skilled attackers. They find social, technical, and physical weaknesses while operating from an antagonistic stance to test our teams' reactions in real-world scenarios. This method assists us in creating and putting into practice efficient security enhancements, improving our ability to assess risks, safeguard our resources, and react to actual attacks.

The Red Team specializes in full-scope adversarial emulation, simulating the actions of the most likely attackers to infiltrate and compromise critical systems. They then notify all relevant parties and collaborate to implement long-term, sustainable solutions for the discovered vulnerabilities.

Key objectives of the Red Team include:

  • Measuring and improving the effectiveness of our Security Intelligence program.
  • Creating significant positive changes in Sclera's security posture and capabilities.
  • Enhancing our understanding of vulnerabilities and our ability to respond to real-world attacks.

6. Further Questions and Inquiries

While our security practices offer a comprehensive overview of our approach, this is a complex area, and Sclera's efforts are extensive. As such, we haven't been able to cover every detail here. If you need more information, please email us at security@sclera.com.

Last Updated Date: August 23, 2024