Skip to main content
LEGAL

Security

Last updated: May 14, 2026

How ScaleUpMedia protects client code, data, and operational information.

ScaleUpMedia operates client ventures, internal systems, software products, automation workflows, and project infrastructure across multiple active engagements.

This page describes the security controls, access policies, data protection practices, AI-agent safeguards, and incident-response procedures we use to protect client code, business information, project data, and operational systems.

Security requirements for a specific engagement may vary based on the scope, industry, data sensitivity, compliance obligations, and infrastructure needs of that venture. Any engagement-specific security requirements are documented in the applicable Engagement Contract, security addendum, data processing agreement, or related written agreement.

1. Scope of This Security Policy

This Security Policy applies to:

  • The ScaleUpMedia website, including scaleupmedia.com
  • The ScaleUpMedia project scoring application, including app.scaleupmedia.com
  • Client venture infrastructure deployed or operated by ScaleUpMedia
  • Internal systems used to deliver ScaleUpMedia services
  • Project documentation, source code, workflows, and operational information managed during client engagements

This page is intended to provide a general overview of ScaleUpMedia's security practices. It does not replace the specific terms of any signed Engagement Contract.

2. Infrastructure Security

ScaleUpMedia uses modern cloud infrastructure, private repositories, managed hosting, managed databases, and enterprise-grade service providers to build, deploy, and operate client ventures.

2.1 Hosting and Networking

Client venture applications are generally deployed using reputable hosting and infrastructure providers, including platforms such as Vercel and other cloud infrastructure providers where appropriate.

Our standard infrastructure practices include:

  • Production traffic served over HTTPS.
  • TLS encryption for data in transit.
  • SSL certificate management through hosting or infrastructure providers.
  • Infrastructure-layer protections provided by hosting and cloud providers.
  • Environment separation where appropriate for development, staging, and production.
  • Access limited to authorized personnel based on engagement needs.

Where a client engagement requires a different hosting environment, cloud provider, network architecture, or compliance-specific deployment model, those requirements are documented in the applicable Engagement Contract or technical scope.

2.2 Repositories and Source Control

Client venture source code is stored in private repositories.

Our standard source-control practices include:

  • Private repositories for client code.
  • Access limited to authorized ScaleUpMedia personnel, contractors, and approved client team members.
  • Least-privilege access based on role and project need.
  • Pull request and review workflows where appropriate.
  • Separation of client codebases across projects.
  • Removal or adjustment of access when a team member no longer requires it.

Secrets, API keys, credentials, and production environment variables should not be committed to source-code repositories. These are managed through environment configuration, hosting platforms, secret stores, or approved infrastructure tools.

2.3 Databases

Client databases are hosted using managed database providers, cloud database infrastructure, or client-approved infrastructure selected for the engagement.

Our standard database practices include:

  • Encryption in transit.
  • Encryption at rest where supported by the provider.
  • Access controls for authorized users.
  • Separation of client data by project or application architecture.
  • Backups according to provider capabilities and engagement requirements.
  • Database access limited to personnel with a legitimate project need.

Backup retention, recovery procedures, and specific database controls may vary by engagement and are governed by the applicable Engagement Contract or infrastructure plan.

3. Data Protection

3.1 Client Data Handling

Client venture data, source code, customer data, business information, credentials, documentation, and proprietary information remain governed by the applicable Engagement Contract.

ScaleUpMedia uses client information only as needed to deliver the applicable services, operate the engagement, maintain infrastructure, provide support, and fulfill contractual obligations.

ScaleUpMedia does not use client venture IP, proprietary source code, confidential business data, or private client materials to train general AI models without explicit client consent.

3.2 Storage of Client Information

Project documentation, contracts, files, client communications, and engagement materials may be stored in approved business tools, including collaboration, communication, document management, cloud storage, and project management platforms.

These platforms may include tools such as Google Workspace, Slack, Notion, GitHub, Vercel, Supabase, Stripe, and other providers selected for the specific engagement.

Access to client information is limited to authorized personnel and is managed based on project role, business need, and engagement requirements.

3.3 Data Minimization

ScaleUpMedia aims to collect and process only the information needed to deliver the requested service or engagement.

For project scoring and pre-contract evaluation, we may collect information such as:

  • Contact information
  • Project description
  • Business goals
  • Budget range
  • Timeline
  • Technical requirements
  • Market or customer information relevant to scoring

For active engagements, we collect only the information reasonably necessary to build, deploy, support, operate, market, or scale the specific venture.

We do not intentionally collect client customer end-user data unless it is required for the engagement scope, product functionality, testing, migration, support, analytics, or operations.

4. Access Controls

4.1 Internal Access

ScaleUpMedia follows a least-privilege access model.

Access to client repositories, databases, production systems, hosting consoles, credentials, documentation, and internal tools is granted only when necessary for a team member to perform work on a specific engagement.

Our standard access-control practices include:

  • Role-based access where supported.
  • Limited access to production systems.
  • Two-factor authentication where supported by the platform.
  • Access removal when no longer required.
  • Platform-level access logs where available.
  • Review of access when projects change, engagements end, or team roles shift.

4.2 Personnel Confidentiality

ScaleUpMedia personnel, contractors, and collaborators with access to client projects are required to maintain confidentiality.

Confidentiality obligations apply to:

  • Client ideas
  • Business information
  • Source code
  • Credentials
  • Customer data
  • Strategy
  • Financial information
  • Technical architecture
  • Product plans
  • Engagement communications
  • Other sensitive or proprietary information

Confidentiality obligations survive the end of a person's relationship with ScaleUpMedia.

4.3 Client Access

Clients may be granted access to repositories, deployment platforms, dashboards, documentation, project management systems, or other tools as appropriate for the engagement.

Client access is configured based on the scope of work, ownership model, security requirements, and Engagement Contract.

At the end of an engagement, access, ownership, credentials, repositories, and production assets are transitioned according to the applicable Engagement Contract.

5. AI Agent Security

ScaleUpMedia uses AI, automation, internal tooling, and agent-based workflows to improve execution speed, operational quality, software delivery, analysis, and venture operations.

Because AI systems may interact with sensitive project information, ScaleUpMedia applies security controls to how these systems are used.

5.1 Agent Operating Environment

AI agents and automation workflows are configured with scoped access based on the task being performed.

Where possible, agent permissions are limited to the specific tools, files, systems, or environments required for the task.

Agents are not intended to have unrestricted access across unrelated client projects, production systems, financial systems, or client communications.

5.2 Human Approval Gates

ScaleUpMedia uses human review and approval for sensitive actions that could materially affect a client venture.

These may include actions such as:

  • Modifying production systems.
  • Sending client-facing or customer-facing communications.
  • Processing payments.
  • Changing billing settings.
  • Publishing major production updates.
  • Accessing sensitive credentials.
  • Taking actions that may materially affect client data, revenue, or operations.

The approval model may vary by engagement, system architecture, and client requirements.

5.3 Agent Logging and Review

Where supported by the system, agent and automation actions may be logged with relevant details such as timestamps, task descriptions, system activity, tool usage, operator review, and approval context.

Logs may be used for:

  • Debugging
  • Quality assurance
  • Security review
  • Incident investigation
  • Client reporting
  • Audit support
  • Operational improvement

Clients may request additional information about agent activity related to their venture, subject to security, confidentiality, and technical limitations.

6. Incident Response

ScaleUpMedia maintains incident-response practices designed to identify, investigate, contain, remediate, and communicate security incidents.

6.1 Detection and Response

Potential security incidents may be identified through infrastructure monitoring, access logs, provider alerts, team reports, client reports, vulnerability disclosures, or abnormal system behavior.

When a potential incident is identified, ScaleUpMedia's response process may include:

  • Internal escalation.
  • Initial investigation.
  • Containment actions.
  • Access review.
  • Credential rotation where appropriate.
  • Log and system review.
  • Root-cause analysis.
  • Remediation planning.
  • Client communication where applicable.
  • Post-incident review.

The specific response process may vary depending on the nature, severity, and scope of the incident.

6.2 Client Notification

If ScaleUpMedia determines that a security incident affects a specific client engagement, we will notify the affected client without unreasonable delay and in accordance with applicable law and contractual obligations.

Where appropriate, the notification may include:

  • A description of the incident.
  • The systems or data affected.
  • Known or suspected cause.
  • Containment actions taken.
  • Remediation status.
  • Steps the client may need to take.
  • Ongoing monitoring or follow-up actions.

Legal notification timelines may vary depending on the jurisdiction, type of data involved, contractual requirements, and regulatory obligations.

6.3 Post-Incident Review

After a confirmed security incident, ScaleUpMedia may conduct a post-incident review to document:

  • Root cause.
  • Scope of impact.
  • Containment actions.
  • Remediation steps.
  • Lessons learned.
  • Process improvements.
  • Controls implemented to reduce the risk of recurrence.

Affected clients may receive a written summary where appropriate and subject to confidentiality, legal, and security limitations.

7. Third-Party Providers

ScaleUpMedia relies on third-party infrastructure, software, hosting, communication, analytics, payment, AI, and collaboration providers to deliver services.

Providers may include:

  • Hosting and deployment providers.
  • Cloud infrastructure providers.
  • Database and authentication providers.
  • Source-control platforms.
  • Payment processors.
  • AI infrastructure providers.
  • Communication tools.
  • Collaboration platforms.
  • Analytics providers.
  • Project management systems.
  • Security and monitoring tools.

Examples of providers used across ScaleUpMedia systems and engagements may include Vercel, GitHub, Supabase, Stripe, Google Workspace, Anthropic, OpenAI, Slack, Notion, and similar platforms.

Each provider operates under its own security program, certifications, privacy policy, and terms of service.

7.1 Provider Selection

When selecting providers, ScaleUpMedia considers factors such as:

  • Security posture.
  • Reliability.
  • Compliance certifications.
  • Access controls.
  • Encryption practices.
  • Data-processing terms.
  • Operational maturity.
  • Developer experience.
  • Suitability for the client engagement.

7.2 Provider Review

ScaleUpMedia reviews third-party providers as appropriate based on their role in our infrastructure, sensitivity of the data processed, client requirements, provider changes, publicly disclosed incidents, or new engagement needs.

For clients with specific compliance or vendor-review requirements, additional provider review may be documented in the Engagement Contract, security addendum, or client onboarding process.

8. Compliance and Certifications

ScaleUpMedia operates using the security practices described in this policy.

Some client engagements may require specific compliance frameworks, such as HIPAA, SOC 2, PCI DSS, GDPR, CCPA/CPRA, or other industry-specific controls.

When specific compliance obligations apply:

  • Requirements are documented in the Engagement Contract or security addendum.
  • Additional controls may be implemented for that engagement.
  • Client-specific infrastructure may be configured to meet the required standard.
  • Third-party vendors may be selected based on compliance requirements.
  • Audit, reporting, or documentation obligations may be defined in writing.

Unless expressly stated in a signed agreement, ScaleUpMedia does not represent that every engagement, product, or system is certified under a specific compliance framework.

9. HIPAA and Regulated Data

ScaleUpMedia may work on ventures in healthcare, finance, education, and other regulated industries. However, ScaleUpMedia is not acting as a HIPAA Business Associate, regulated financial institution, or regulated data processor unless the applicable written agreements expressly say so.

Clients should not provide protected health information, regulated financial information, education records, children's data, or other regulated information unless the engagement scope requires it and appropriate agreements and controls are in place.

Where required, additional agreements may include a Business Associate Agreement, Data Processing Addendum, security addendum, compliance plan, or other written terms specific to the engagement.

10. ScaleUpMedia Certifications

ScaleUpMedia uses third-party providers that may maintain certifications such as SOC 2, ISO 27001, PCI DSS, or other security and compliance standards.

Unless expressly stated in a signed agreement or published certification report, ScaleUpMedia itself does not represent that every ScaleUpMedia system, product, or engagement is independently certified under SOC 2, ISO 27001, HIPAA, PCI DSS, or any other compliance framework.

Client-specific compliance requirements must be documented in the applicable Engagement Contract, security addendum, data processing agreement, or related written agreement.

11. Vulnerability Disclosure

ScaleUpMedia welcomes responsible disclosure of security vulnerabilities affecting our website, project scoring application, internal tools, or services we operate.

11.1 How to Report a Vulnerability

Please send vulnerability reports to matt@reply.scaleupmedia.com with as much detail as possible, including:

  • Description of the vulnerability.
  • Affected system, page, endpoint, or application.
  • Steps to reproduce.
  • Potential impact.
  • Screenshots or proof-of-concept details, if appropriate.
  • Suggested remediation, if known.
  • Your contact information for follow-up.

11.2 Responsible Disclosure Guidelines

When researching or reporting a vulnerability, please:

  • Do not access, modify, delete, download, or exfiltrate data that is not your own.
  • Do not disrupt, degrade, or interrupt ScaleUpMedia systems.
  • Do not perform denial-of-service testing.
  • Do not use social engineering, phishing, or physical attacks.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate it.
  • Act in good faith and within the scope of responsible disclosure.

11.3 What to Expect

After receiving a vulnerability report, ScaleUpMedia will review the submission and investigate as appropriate.

We aim to acknowledge valid vulnerability reports within five business days.

The time required to investigate and remediate a vulnerability may vary depending on severity, scope, affected systems, third-party dependencies, and client impact.

We do not currently operate a paid bug bounty program. Submission of a report does not guarantee compensation.

ScaleUpMedia does not intend to pursue legal action against researchers who act in good faith, follow responsible disclosure practices, avoid privacy violations, avoid service disruption, and do not access, modify, download, destroy, or disclose data that does not belong to them.

12. Security Questions and Contact

For questions about ScaleUpMedia's security practices, security inquiries from prospective clients, vulnerability reports, or requests for additional security documentation for an engagement, contact:

ScaleUp Media, LLC
8805 Tamiami Trail, Suite 183
Naples, FL 34108
United States

Email: matt@reply.scaleupmedia.com