Logo

Other

Security

At Script Elephant, security is our highest priority. This is reflected from our codebase to our server infrastructure to our internal procedures.

Codebase

The heart of Script Elephant’s security is that the entire codebase is self-contained with no cloud-specific dependencies or third-party API requirements for any core functionality. This means that:

  • All core operations and database interactions are contained within one secure server that is unique to each customer.
  • Data is private and never leaves our infrastructure.
  • We are resilient against many cloud-wide outages that affect popular tools today.

This also means that we can run a complete test suite of our entire platform with every code update helping to ensure the platform continues to function as intended.

Infrastructure

Each customer of Script Elephant receives their own dedicated virtual private server (VPS) where the entire codebase and database are fully self-contained. Customers won’t share resources with other customers or be susceptible to “noisy neighbor” slowdowns that are common with shared hosting designs.

This means there is no central point of failure for hardware malfunctions or denial-of-service (DOS) attacks. Any attack against one customer has no ability to spread to or disrupt any other customer.

All passwords and API keys used internally within each server are fully randomized with cryptographically strong randomization for each customer. This means that a theoretically fully compromised server from another customer would have no way to gain privileged access to your server.

This design also gives us the ability to rapidly re-deploy customer VPSs to new servers on any cloud provider whenever necessary.

In short, your data runs on its own dedicated server completely isolated and secured from other customers.

Pausing Updates During Live Productions

When we detect that a server has a live production beginning or ending within 48 hours, our system will automatically pause any feature updates to that server. Reliability is key - preventing updates to a server in a live production period ensures each Script Elephant server will continue to perform on show day exactly like it did during rehearsals.

This also can allow us to ship specific features and bug fixes specific to each customer’s needs directly to their server if needed. This is a unique benefit of our dedicated-VPS infrastructure, which is not possible on other centrally-hosted run of show platforms.

Server Maintenance & Updates

Our team ensures that the operating system on each VPS is fully up to date and includes the latest software and security patches on a regular cadence. In addition, we schedule a complete reboot in off-peak times (to ensure it is not during a live production) on a regular maintenance schedule.

Server & Data Storage Location

Our design is cloud-agnostic allowing us to use leading cloud providers with servers in any region necessary. As of 2025, all customer servers are located in the Central U.S., but we are happy to accommodate special requests for deployments to specific cloud providers/regions for customers on our Enterprise plan.

All uploaded media (images, files, etc) are stored in Amazon’s S3 service. For enterprise customers, we can integrate with any S3-compatible file storage.

Can Script Elephant Be Self-Hosted?

Script Elephant’s self-contained architecture allows it to be hosted on a variety of operating systems and in intranet-only offline environments for customers on our Enterprise plan. Please reach out to our team for more details.

Backups

All changes in Script Elephant are saved as a point-in-time snapshot. This means all edits across the platform create an up-to-date backup that can be restored by our support team whenever necessary.

Our support staff is restricted from viewing the contents of these encrypted backups, but are able to see which user triggered each update and when to allow them to identify and restore the correct backup to a server upon request.

These point-in-time backups are preserved for 24 hours. After that, one backup per day is maintained for the lifetime of each server.

To request a backup restoration, please reach out to our support team.

Routing & Access Layer

Every customer server is protected by routing all traffic across these two barriers:

Content Delivery Network (CDN)

Cloudflare is used as our content delivery network. All web traffic is fully encrypted with HTTPS using trusted origin certificates unique to each customer’s server. No insecure (HTTP) traffic is allowed.

Our firewalls whitelist traffic to only allow egress through Cloudflare, meaning that each server is protected against enumeration attacks that might try to target a server directly.

All servers utilize modern IPv6 addressing, reducing legacy attack vectors.

Virtual Private Network (VPN)

Access to each server is protected behind our VPN layer. All direct console administrative access is restricted through encrypted VPN connections with key-based authentication.

Combined with the Cloudflare firewall rules above, each customer server is effectively “invisible” on the internet and cannot be directly accessed by any third parties or malicious actors.

Uptime

Our infrastructure includes automated monitoring of all customer servers. Within 60 seconds of any network interruption, our infrastructure team will be notified and can take immediate action to restore service. Any faults or errors in the platform are captured and sent to our product development team for review.

Service Level Agreement (SLA)

We are able to address most system errors within 2 business days. If you’re interested in a dedicated SLA (for example one that can apply during a planned live production period), reach out to our sales team.

Data privacy

The Script Elephant platform does not include third party tracking analytics such as Google Analytics. We do track basic analytics for all users using an internal analytics system. None of this data is ever shared with third parties. If removing all analytics from a server is necessary, we are able to accommodate upon request.

Internal Usage Reports

Our team has access to a high-level information report about how each team is using the platform. This enables us to:

  • Know when scheduled live production dates are so that we can freeze updates
  • Facilitate point-in-time database restores for individual actions
  • Troubleshoot any performance problems you may encounter
  • Understand what features are being used for each production

Policies & Procedures

At the heart of our security policies are strict controls and responsibilities that limit direct access to your data within our team.

  • Our front-line support team has limited access to your data and only operates from a high-level dashboard showing summaries of activities, feature use and general traffic patterns. No sensitive information (such as names and email address of users) are ever visible to our support team.
  • Our development team operates in a fully separate environment with no access to customer data in any way.
  • Our infrastructure team are the only ones with direct access to your server. This is necessary to run regular updates and maintenance. This access is strictly held to those that absolutely need access and credentials are changed often.

Only upon a direct request, our infrastructure team can temporarily log in to a server’s dashboard to help troubleshoot any specific errors or incidents.

Confidentiality, Integrity, and Availability

As a high-level summary of Script Elephant’s security posture:

Confidentiality

All customer data is secured on their own server with multiple levels of encryption and access restrictions.

Within the platform, Script Elephant offers a robust user permissions model allowing restricted access on a per-user, per-role and/or per-production level.

Integrity

All actions in Script Elephant are backed up to an off-site server, which is also backed up to an immutable third destination daily. These backups are encrypted at rest. These backups can be restored at any point by submitting a support request. We can also re-deploy your data to a new server at any time.

Availability

Each customer’s server operates fully independently from every other. This means that each customer is not susceptible to noisy neighbor slowdowns or denial of service attacks on any other customer.

Each customer server is sized with sufficient hardware allocations to accommodate beyond normal traffic volumes for that server. We also have the capability to deploy servers in high-availability configurations for our enterprise customers.

Contact us

If you have any security-specific concerns, please email us at security@scriptelephant.com. We welcome responsible security research and will respond promptly to vulnerability reports sent to security@scriptelephant.com.

Previous
Slack Integration
Next
Frequently Asked Questions