System Security
LAST UPDATED: APRIL 24, 2026Scorpii Flow is built on a "Local-Trust" architecture. Unlike cloud-based automation platforms, your sensitive data and credentials never leave your hardware.
Local Execution Environment
Our automation agents run directly on your hardware — Windows, macOS, or Linux. This architectural decision is the cornerstone of our security model:
- No Credential Uploads: Your login credentials (cookies, tokens, passwords) are stored in an encrypted local vault. They never transit through our servers.
- Network Isolation: Agents communicate with our orchestration server via an encrypted outbound-only tunnel. No inbound ports are required on your machine.
- Air-Gap Compatible: For maximum security, agents can operate in fully offline mode with pre-loaded workflow blueprints.
Why Local? Traditional cloud RPA sends your browser sessions to remote servers. Scorpii runs on your screen, on your OS — so credentials never leave your trust boundary.
Hardware-Level Emulation
To bypass bot detection, Scorpii Flow uses a hardware-level macro engine that operates at the OS kernel level. This provides two key security benefits:
- Stealth Execution: Physical mouse movements and keyboard events are indistinguishable from human input, preventing canvas fingerprinting, WebDriver detection, and behavioral analysis.
- Session Integrity: Because we interact with the actual browser UI (not injected scripts), session cookies and security tokens remain intact and unmodified.
Deep-Root Session Management
One of the biggest failures of traditional automation is handling complex login flows. Our Deep-Root Login Probes provide intelligent authentication resilience:
- Adaptive Login Detection: The agent autonomously recognizes login screens, 2FA challenges, and session expiry notices through visual analysis.
- Hybrid Trust Model: The system relies on internal browser state to override flaky OS-level focus reports, ensuring reliable workflow initiation.
- Zero Stored Passwords: Credentials are sourced from your local encrypted vault at runtime and never cached in memory beyond the active session.
LLM Healer Privacy Guarantees
The Tier-2 Gemini Healer processes UI state only when a workflow step fails. We use Enterprise-tier API endpoints with the following contractual guarantees:
- Zero Training: No customer screenshots or DOM fragments are used for model training.
- Immediate Deletion: Transmitted data is discarded immediately after the healing action is computed.
- No Human Review: UI snapshots are processed entirely by automated systems with no human access.
- Minimal Scope: Only the exact DOM fragment required for re-targeting is transmitted — never full-page captures.
Dashboard & API Security
The Scorpii Flow Dashboard and REST API are secured with modern industry standards:
- Authentication: Multi-Factor Authentication (MFA) available for all accounts.
- Encryption at Rest: All stored data is encrypted using AES-256.
- Encryption in Transit: All communications secured via TLS 1.3.
- Access Control: Role-based access control (RBAC) for multi-user agency accounts.
- API Keys: Scoped, rotatable API keys with configurable permissions.
Execution Auditability
Every automated action is fully auditable through our Deep Trace Narrative system:
- A human-readable log of every click, keystroke, and decision the agent made — and why.
- Timestamped execution traces stored locally for compliance and forensic review.
- Optional webhook notifications for real-time monitoring of agent behavior.
No Black Boxes: Unlike competitor platforms, Scorpii Flow gives you complete visibility into the agent's reasoning chain. Every action can be traced back to a specific training decision or AI inference.
Found a Vulnerability?
We welcome responsible disclosure from the security community. Report findings and help us strengthen the platform.
Report to Security Team