While no system is completely secure, we do our best to make sure our services are as secure as possible. This document gives an overview of our security practices. It is not exhaustive nor binding, it is simply a good-faith effort to keep you informed.

Changes

As we learn more, best practices change, we add technology and features, and change technology providers, some aspects of our security may change. We will try to keep this document up to date to reflect major changes to our security practices.

• Version 1.2.0 (July 2, 2019). Completely rewrote "Email is Proof of Identity" section into the new "Account Access as Proof of Identity" section. This is in preparation for the upcoming ability to create and log into Rumpus accounts using third party accounts (such as Steam) that do not provide email addresses. Made other minor updates related to this change.
• Version 1.1.1 (June 7, 2019). Clarified some language without changing the meaning.
• Version 1.1.0 (May 26,2018). Added section on reporting security issues.
• Version 1.0.0 (May 24,2018). First version of this document.

Account Access as Proof of Identity

There is no fool-proof way for us to verify user identity, and so we take a reasonable shortcut: ability to access a Bscotch Account (e.g. BscotchID or Rumpus) is considered proof that that Bscotch Account is yours.

Bscotch Account access requires access to the email address(es), password(s), and/or third party authentication service(s) used to create and log into that Bscotch Account. If you cannot access your Bscotch Account then we will not consider you to be the account owner. Similarly, if someone else gains access to your Bscotch Account we consider that other person to be the owner of your Bscotch Account. It is your responsibility to prevent others from accessing your Bscotch Account by protecting your login information.

We strongly encourage that you add backup login methods to your Bscotch Accounts, where possible, and that you use good security practices for your Bscotch Accounts and any connect accounts.

All Account Management Requires Login

We have to know that you are who you say you are before you can take any actions on your account, including exercising any of your data rights under our Privacy Policy or GDPR. Otherwise nefarious evil-doers would cause all kinds of chaos for everyone!

Email Confirmations

Account actions that can have a major impact on your security or privacy may require email confirmation before they are completed. Such actions include adding email addresses to your Rumpus account and account deletion. It is possible to create certain kinds of Bscotch Accounts without a verified email address. In those cases you either will not be able to confirm requested actions, or we will allow you to take the action without any confirmation. We recommend that you verify an email address on your account to allow for the extra security of confirmation steps.

Passwords

Our legacy user account system, BscotchID, uses passwords to verify your identity when you access your accounts. We may use passwords in other parts of our Services as well. It is your responsibility to use strong passwords, and to prevent other people from guessing or otherwise obtaining them. We store passwords after applying a one-way transformation to them, so that not even we know or have access to the original.

We otherwise minimize your security risks by going password-free with Rumpus. Password-free logins require email confirmation or other 3rd party logins (e.g. via Google, Steam, or Discord) that provide us with a verified email address.

Data Storage & Access

We store your data in databases and log files ("Data") controlled by us, hosted by trusted 3rd party companies, and secured by strong passwords (sometimes also with restricted access by IP address). The trusted 3rd parties can only access the Data with our permission, and we will only give that permission when necessary for managing technical and other issues (e.g. data migrations and debugging). Bscotch staff have need-to-know levels of access to the Data, and are expected to only access and use Data when doing so is necessary for essential work.

Local Files

Our games and websites create local files (or similar types of storage) that store some account information on your device. This is required for our games and websites to function. If you grant access to these storage locations to other people, or to other applications and software, a nefarious evil-doer may be able to hijack or otherwise damage your Bscotch accounts. Examples of software to be wary of include browser extensions, piracy/hacking/cheating apps, and cracked versions of our games. It is your responsibility to control who has access to your devices and what software and applications you have installed on your device. If someone takes over your Bscotch account by stealing this information from you, we will not be able to recover your Bscotch account.

Reporting Security Issues

If you've discovered a potential security issue, we want to hear about it. If you would like to go looking for security issues, please do not do so without first telling us what you want to try so that we can tell you if you'll do damage to our systems in the process. Finally, if you have concerns about our security and want more information, we will try to answer your questions. In all cases, you can contact us at bscotch.net/contact/topics/security.