Configuration
The SCF Controls Platform runs in two ways, and configuration differs between them:
- Managed SaaS — a fully-managed application. Configuration is handled through the platform’s web interface; there are no environment files or server settings to manage. Most of this page covers these in-app settings.
- Self-hosted (open source) — you run the Docker Compose stack and configure it through a
.envfile. See Self-hosted environment variables below, and Deployment for the full install.
Self-hosted environment variables
Section titled “Self-hosted environment variables”Self-hosted deployments are configured entirely through a .env file (copied from the tracked
.env.example). The defaults boot the stack for local evaluation; change every value marked
REQUIRED before exposing the stack to a network, and never commit your filled-in .env.
Required
Section titled “Required”| Variable | Purpose |
|---|---|
DB_PASSWORD | Postgres password; the backend builds DATABASE_URL from it |
API_KEY | Master backend API key (e.g. openssl rand -hex 32) |
VITE_API_KEY | API key the frontend uses to call the backend (typically the same as API_KEY) |
| Variable | Default | Purpose |
|---|---|---|
ENVIRONMENT | production | development | staging | production. Only use development on a trusted local machine |
OSS_SINGLE_TENANT | 1 | Lets the master key admin a single org; fail-closed — disabled at startup if >1 org/member exists |
LOG_LEVEL | info | debug | info | warning | error |
CATALOG_VERSION | 2025.4 | SCF catalogue version surfaced on /version; match your imported workbook |
PLATFORM_VERSION | 1.0.0 | Application version label |
Authentication (Google OAuth — optional)
Section titled “Authentication (Google OAuth — optional)”Leave GOOGLE_AUTH_ENABLED=false to run with API-key auth only.
| Variable | Purpose |
|---|---|
GOOGLE_AUTH_ENABLED / VITE_GOOGLE_AUTH_ENABLED | Enable Google sign-in (backend + frontend must match) |
GOOGLE_CLIENT_ID / VITE_GOOGLE_CLIENT_ID | OAuth client ID (build-time copy baked into the frontend bundle) |
Email notifications (Resend — optional)
Section titled “Email notifications (Resend — optional)”Leave RESEND_API_KEY blank to disable outbound email.
| Variable | Purpose |
|---|---|
RESEND_API_KEY | Resend API key for outbound notification email |
RESEND_FROM_EMAIL | From address on notification emails |
APP_URL | Public frontend URL used in email links |
Evidence storage
Section titled “Evidence storage”Defaults to the bundled MinIO container — no cloud account needed. See Deployment → Evidence storage for the AWS S3 and Azure Blob escape hatches.
| Variable | Default | Purpose |
|---|---|---|
AWS_ENDPOINT_URL | http://minio:9000 | Internal S3 endpoint; blank = use real AWS S3 |
EVIDENCE_PUBLIC_ENDPOINT | http://localhost:9000 | Browser-facing endpoint for presigned URLs |
EVIDENCE_BUCKET | evidence | Bucket name |
MINIO_ROOT_USER / MINIO_ROOT_PASSWORD | minioadmin / changeme-… | Bundled MinIO credentials |
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY | matches MinIO creds | S3 credentials the backend uses |
AWS_DEFAULT_REGION | eu-west-1 | S3 region |
AZURE_STORAGE_ACCOUNT_NAME / AZURE_STORAGE_ACCOUNT_KEY | — | Azure Blob (takes priority over S3 when set) |
EVIDENCE_CONTAINER | evidence | Azure container name |
Optional integrations
Section titled “Optional integrations”| Variable | Purpose |
|---|---|
ANTHROPIC_API_KEY | Enables AI-assisted evidence / window assessment |
HIBP_API_KEY, NVD_API_KEY | Third-party breach / vulnerability lookups for vendor research |
APPLICATIONINSIGHTS_CONNECTION_STRING | Telemetry export |
SCF_XLSX | Path to your SCF workbook for the catalogue importer (default ./catalog-source/scf.xlsx) |
Platform Settings
Section titled “Platform Settings”Organisation Settings
Section titled “Organisation Settings”Organisation administrators can configure:
| Setting | Description | Access |
|---|---|---|
| Organisation Name | Display name for your organisation | Admin only |
| Primary Framework | Default compliance framework for dashboard metrics | Admin only |
| User Roles | Assign roles to team members | Admin only |
User Preferences
Section titled “User Preferences”Individual users can configure:
| Setting | Description |
|---|---|
| Notification Preferences | Email notification settings |
| Display Preferences | UI preferences (if available) |
Authentication
Section titled “Authentication”The platform uses Google Sign-In for secure authentication. No configuration is required on your part.
Supported Account Types
Section titled “Supported Account Types”| Account Type | Example | Notes |
|---|---|---|
| Google Workspace | you@company.com | Recommended for organisations |
| Personal Gmail | you@gmail.com | Works for individuals and small teams |
| Google Cloud Identity | you@domain.com | For organisations without full Workspace |
Authentication Flow
Section titled “Authentication Flow”- User clicks “Sign in with Google”
- Google authenticates the user
- Platform receives user identity (email, name, profile picture)
- User is granted access based on their organisation membership
Email Notifications
Section titled “Email Notifications”The platform sends email notifications for:
| Notification Type | Trigger |
|---|---|
| User Invitations | When invited to join an organisation |
| Task Assignment | When assigned to a control or task |
| Due Reminders | Before task due dates |
| Overdue Alerts | When tasks pass their due date |
| @Mentions | When mentioned in comments |
Data Storage
Section titled “Data Storage”Where Your Data Lives
Section titled “Where Your Data Lives”- All data is stored securely in the cloud
- Data is encrypted at rest and in transit
- Regular automated backups are performed
- Multi-region redundancy for high availability
Data Retention
Section titled “Data Retention”- Active data is retained as long as your subscription is active
- Backups are retained according to our data retention policy
- You can export your data at any time via the backup feature
Security Configuration
Section titled “Security Configuration”Access Control
Section titled “Access Control”| Feature | Description |
|---|---|
| Google OAuth | Secure authentication via Google |
| Role-Based Access | Admin, Editor, Viewer roles (enforcement coming soon) |
| Organisation Isolation | Each organisation’s data is completely separate |
Security Features
Section titled “Security Features”- HTTPS Only — All connections are encrypted
- OAuth 2.0 — Industry-standard authentication
- Session Management — Automatic session timeout for security
- Audit Logging — All actions are logged for compliance
Integration Settings
Section titled “Integration Settings”Current Integrations
Section titled “Current Integrations”The platform currently supports:
| Integration | Purpose |
|---|---|
| Google Sign-In | User authentication |
| Email (Resend) | Notification delivery |
Future Integrations
Section titled “Future Integrations”Additional integrations are planned for future releases:
- SIEM/SOAR integration
- Ticketing system integration (Jira, ServiceNow)
- Single Sign-On (SSO) providers
- API access for automation
Backup Configuration
Section titled “Backup Configuration”Backup Features
Section titled “Backup Features”Access via the Database button in the header:
| Feature | Description |
|---|---|
| Download Backup | Export all your data as a JSON file |
| Restore from Backup | Upload a previous backup to restore data |
Backup Contents
Section titled “Backup Contents”Backups include:
- All scoped controls and their status
- Evidence tracking configurations
- Users and organisation settings
- Assignments, comments, and tasks
- Notification history
What’s Not Included
Section titled “What’s Not Included”- SCF catalog data (this is reference data provided by the platform)
- System configuration (managed by the platform)
Version Information
Section titled “Version Information”Checking Your Version
Section titled “Checking Your Version”The platform version is displayed:
- In the footer of each page
- In the Database Health & Statistics popup
Version Components
Section titled “Version Components”| Component | Description |
|---|---|
| Platform Version | Application version number |
| API Version | Backend API version |
| Catalog Version | SCF Controls Catalog version |
Support Configuration
Section titled “Support Configuration”Getting Help
Section titled “Getting Help”| Resource | Purpose |
|---|---|
| This Documentation | Self-service help and guides |
| In-App Support | Contact support from within the platform |
| Email Support | support@scfcontrolsplatform.com |
Reporting Issues
Section titled “Reporting Issues”When reporting issues, include:
- Browser type and version
- Steps to reproduce the problem
- Any error messages shown
- Screenshots if applicable
Related Guides
Section titled “Related Guides”- Authentication — Sign-in and account management
- User Management — Managing users and roles
- Backup & Restore — Data backup procedures