Scratchware Security Statement


Updated 9/11/2021

Scratchware Security Posture


Scratchware works to limit its attack surface and decrease potential software vulnerabilities with advanced security technologies, security-first development practices, and constant monitoring of system assets.

Scratchware employs best practices for information security that include monitoring, segmenting, and role-based security measures with multi-factor authentication to protect Scratchware critical and strategic resources against both malicious insider attacks and unintended vulnerabilities created by unwitting humans within the organization.

Conditional Access

Just-in-time Access (JIT)

Scratchware reduces exposure to attacks with JIT to lock down inbound traffic to Virtual Machines while providing easy access when needed to connect to the VM array. For access security purposes, JIT access is limited to specific roles for infrastructure management tasks and follows strict change control management protocols.


Zero Trust

Scratchware enforces a Zero Trust Policy that guarantees least-privileged access as the best line of defense in the Scratchware Security Architecture creating conditional access capabilities that are the policy decision point for access to resources based on user identity, environment, device health, and risk—verified explicitly at the point of access.


Time-bound Access (RBTBAC)

Scratchware systematically limits access to mission-critical tools and infrastructure with time-bound access based on role and designated areas.

Secure software development
and supply chain


Single Code Base

Scratchware is comprised of a single, ground-up proprietary, codebase that is written in-house by senior Scratchware developers and branched by access level. Scratchware limits its use of third-party software to the presentation layer and continuously monitors for new version releases, patches, and upgrades to ensure all solutions are secure and up to date. 



Scratchware DevOps manages the development process and makes it portable to develop faster, increase collaboration, and ship faster with greater control of releases, securing of source code, and managing those who have access to it.


DevSecOps (DSO)

Scratchware DevSec manages its software supply chain and code using secure vault management to securely store keys, certificates, tokens, and other secrets to mitigate against loading them at run-time and provides secret scanning and alerts for credentials and tokens in the event they are mistakenly committed into source control. Scratchware DevSec manages user authentication governance throughout the entire application, provides production-ready container images, and has full, end-to-end traceability. Scratchware DevSec identifies vulnerabilities in code with semantic code analysis, identifies and remediates security issues in dependencies using security alerts and automated security updates.


Scratchware DevTestLab

Scratchware dynamically creates and manages complex cloud-native applications deployment with quick model application-centric templates and common environment definitions using an advanced CI/CD pipeline and improves application quality using built-in Blue/Green deployment to production

API management (APIM)


Scratchware APIM

Create APIs consisting of one or more operations. Each Scratchware API can be added to one or more products. To use a Scratchware API, developers subscribe to a product that contains that Scratchware API, and then they can call the API's operation, subject to any usage policies that may be in effect.

Scratchware offers fast partner onboarding through the developer portal and building of an API façade decoupled from internal implementations that are not ripe for partner consumption.

Scratchware APIM offers a centralized location for the organization to communicate about the availability and latest changes to APIs, gating access based on organizational accounts, all based on a secured channel between the Scratchware API gateway and the backend.


API Gateway

Accepts API calls and routes them to the Scratchware backend. Verifies API keys, JWT tokens, certificates, and other credentials. Enforces usage quotas and rate limits. Transforms the Scratchware API on the fly without code modifications. Caches backend responses were set up. Logs call metadata for analytics purposes.



Scratchware APIM Administration

Scratchware APIM Azure administrative interface provides API program set-up including: Define or import API schema. Package APIs into products. Set up policies like quotas or transformations on the APIs. Get insights from analytics. Manage users.


Scratchware APIM Developers

Scratchware APIM provides the main web presence for developers, where they can: Read API documentation. Try out an API via the interactive console. Create an account and subscribe to get API keys. Access analytics on their own usage.


Scratchware API Privacy

Scratchware APIs and API Developer Portals are private, require permissions to access, and must be subscribed to before their products can be used.

Application gateway



Scratchware Application Gateway

Scratchware AAG is a web traffic load balancer that enables Scratchware to manage traffic to our web applications. Scratchware Application Gateway works as a traditional load balancer that operates at the transport layer (OSI layer 4 - TCP and UDP) and routes traffic based on source IP address and port, to a destination IP address and port.

Additionally, Scratchware AAG makes routing decisions based on additional attributes of an HTTP request and provides the following features: Secure Sockets Layer (SSL/TLS) termination, Autoscaling, Zone redundancy, Static VIP, Web Application Firewall, Ingress Controller for AKS, URL-based routing, Multiple-site hosting, Redirection, Session affinity, Websocket and HTTP/2 traffic, Connection draining, Custom error pages, Rewrite HTTP headers and URL, and Sizing.


Web Application Gateway Firewall

One of several firewalls implemented in the Scratchware production environment, Web Application Firewall (WAF) is a service that provides centralized protection of your web applications from common exploits and vulnerabilities. WAF is based on rules from the OWASP (Open Web Application Security Project) core rule sets 3.1 (WAF_v2 only), 3.0, and 2.2.9.

Data security



Data Vaults

Scratchware employs Transparent Data Encryption (TDE) with bringing your own key (BYOK) to secure data at rest. Scratchware TDE performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application. With TDE the DEK is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256. If a database is in a geo-replication relationship, both the primary and geo-secondary databases are protected by the primary database's parent server key.


Key Vaults

Scratchware Key Vaults securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets and is used as the Scratchware Key Management solution making it easy to create and control the encryption keys used to encrypt Scratchware data. Scratchware Key can easily provision, manage, and deploy public and private Transport Layer Security/Secure Sockets Layer (TLS/SSL) certificates for use with Azure and Scratchware internal connected resources. Scratchware employs multiple Key Vault architecture across both test and production environments to ensure Keys are not exposed accidentally in deployments.

The Scratchware Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). It doesn't allow direct access to a stored key but provides services of encryption/decryption using the key to the authorized entities. The key can be generated by the key vault, imported, or transferred to the key vault from an on-prem HSM device.


Tokenization and Encryption

Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. Scratchware uses tokens as a reference (i.e. identifier) to map back to the sensitive data through the Scratchware tokenization system.

Scratchware employs Advanced Encryption Standard (AES) encryption. AES 256, which is one of the strongest block ciphers available. AES handles encryption, decryption, and key management transparently.

Scratchware deploys Azure Disk Encryption (ADE) which uses the Bitlocker feature of Windows to provide volume encryption for the OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to control and manage Scratchware disk encryption keys and secrets.



The Scratchware stack is comprised of loosely coupled layers logically segmented by function and level of security. High-security assets are decoupled from the internet with internal routes comprised of dynamic routes, intersections, validation checkpoints, and deadends.


Data in Transit

Scratchware secures data in transit using TLS (Transport Layer Security) v1.2.

Security and monitoring



Scratchware Security Center

Scratchware employs the Azure Security Center, a unified infrastructure security management system that strengthens the security posture of the Scratchware data center, and provides advanced threat protection across Scratchware hybrid workloads in the cloud - whether they're in Azure or not - as well as on-premises.


24 / 7 / 365 Security Monitoring

Continuous monitoring of the system-wide status of all resources and whether they are secure.

Assess workloads and raises threat prevention recommendations and security alerts.
Events collected from agents are correlated in the security analytics engine to provide recommendations (hardening tasks) to ensure security.

Business continuity and

Information security (InfoSec)



Secure Backup Automation

Scratchware protects data with a reliable backup infrastructure, ensures data is backed up in a secure fashion, and protected at all times both in transit and at rest using private endpoints. By default, data is encrypted using platform-managed keys data and is encrypted using platform-managed keys.


Limit Exposure

Scratchware works to limit our attack surface and decrease potential software vulnerabilities with advanced security technologies, security-first development practices, and constant monitoring of system assets.

Scratchware employs best practices for information security that include monitoring, segmenting, and role-based security measures with multi-factor authentication to protect Scratchware critical and strategic resources against both malicious insider attacks and unintended vulnerabilities created by unwitting humans within the organization.


Corporate Governance

Scratchware employs Intune, the Microsoft cloud-based management solution that provides for mobile device and operating system management. It aims to provide Unified Endpoint Management of both corporate and BYOD devices in a way that protects corporate data. It extends some of the "on-premises" functionality of Microsoft System Center Configuration Manager to the Windows Azure cloud.


Configuration Standards Best Practices Matrix

Scratchware has adopted and implemented industry best practices and standards for the hardening of its system components. For the purposes of ensuring system configuration standards are consistent with industry-accepted hardening standards Scratchware follows the guidelines and implements the controls provided by the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST) NCC-SRA, Azure CIS 1.1.0, and SOC TSP.

For the purposes of ensuring system configuration standards are appropriately applied when new systems are configured, Scratchware follows and mandates DevSecOps Team members follow the CIS Microsoft Azure Foundations Benchmark v1.1.0 guideline manual for the implementation of system components in the Microsoft Azure Cloud.


Unlock and unify your data so that you can safely use it to orchestrate payments and optimize your business across all our favorite apps and services from a single portal through a single connection that you control.

What We Offer

Scratch is a cloud-native portable data utility that provides secure payment data pipelines so that businesses can securely store their data and use it with any trusted third party to orchestrate payments, streamline business processes, and eliminate single points of failure

Credit Card Surcharging as a Service.

Scratch provides credit card Surcharging-as-a-Service™ to the entire world where credit card surcharging is permitted with RECOUP and True MDR the only truly compliant credit card surcharging solution available through a single connection.


Scratch Software Inc. is committed to a diverse and distributed working environment and is headquartered in the United States

Please Contact us for business hours.