Security & Privacy

Scaled Access applies the principle of least privilege and offers personalized, fine-grained access.

Comprehensive security framework

  • Rule based access control
  • Event stream for monitoring, audit & fraud detection
  • Zero trust infrastructure
  • Consent enforcement 2.0
  • Casual credentials sharing prevention
  • No storage of personally identifiable information
  • API’s are OAuth 2.0 protected
  • Robust user authentication through Identity Provider integration

Access control

Rule based access control

Scaled Access lets organizations build authorization policies for their specific business needs. They decide who can do what, on what, and under what conditions.

Least privilege access

Scaled Access applies the least privileged access principles and offers personalized, fine-grained access. Our configurable attribute-based access policy lets organizations implement micro-segmentation and determine granular access to content, data or functionality.

Secure access sharing

We’ve focused on solving the Achilles’ heel of security: the casual credential sharing by users who need to collaborate or exchange information fast. If organizations allow it, users can simply invite others to get access as well. All invitees need to register first, which makes them visible to the organization.

Consumers have the final say

Consumers are in control and can revoke the access they’ve given to others or refuse access to resources that someone else has shared.

Secure platform

Zero trust

Scaled Access offers a zero trust approach. We automatically verify every single access request. Our cloud-based platform provides a more secure alternative to long sessions by issuing short-lived access tokens for verified requests.

Single authorization responsibility

Our loosely coupled architecture is lean, with a single authorization responsibility allowing us to easily split policy management from your application lifecycle.

Secure tokens, not cookies

Access permissions are given through secure OAuth 2.0 JWT access tokens and not via cookies.

Cookies remain stored within the browser memory, which hackers can obtain through malware and reuse for an impersonation attack. Tokens have short lifespans and are difficult to intercept.

Plus, tokens are more versatile as they are device independent, and they work on mobile apps as well as during private browsing.

Security information and event management

All events are captured for storage in your security information and event management tool (SIEM). Organizations can use these activity data for monitoring, reporting or auditing purposes. They can apply machine learning for fraud prevention and detection as well.

Robust user authentication

We facilitate robust user authentication through seamless integration with the most widely used Identity Providers.


No personally identifiable information

Our access tokens only represent the permissions granted. They do not include any personally identifiable information (PII).

This shields your applications from handling personal data and it also means that identifiable information about the subject, what their password is and why permission was given, remains hidden and can’t be intercepted.

  "": [
      "relationshipType": "is_sport_member_of",
      "to": {
        "id": "ce55bd7e-2b78-446d-b73e-b3c26ab90096",
        "type": "subscription"
  "iss": "",
  "sub": "auth0|5f461b89e71ba00068c82a20",
  "aud": [
  "iat": 1599123105,
  "exp": 1599130305,
  "azp": "ZzObVv7phuhCPWM4eKSnTxfghvD93zkG",
  "scope": "openid profile email"

GDPR compliance

Consent is not optional, we enforce it. Before any authorization is given, the user has to consent to the access or use of his or her personal data.

Our platform enforces three dimensions in consent: user-to-organization, user-to-user and user-to-application.

We follow the Consent Receipt Specification of the Kantara Initiative – the global industry association that carries the mission of ‘improving trustworthy use of identity and personal data’.

Consent Receipt Specification
  1. Consent Record Creation
  2. Human-readable Receipt
  3. Links to Privacy Notices & Policies
  4. What information is collected
  5. Purposes for that Collection
  6. Information on Disclosure & Usage

Our platform provides a store for all these consent records taken by a consumer over time in a structural, and legally binding format. And If you already have your consents stored somewhere else, we can connect our authorization platform and use these consents in our authorization decisions.

Ready to adapt to how your users interact in the real-world?

We won't spam you or resell your data. Find out more.