Skip to content

Configuration

Configuration illustration

The SCF Controls Platform runs in two ways, and configuration differs between them:

  • Managed SaaS — a fully-managed application. Configuration is handled through the platform’s web interface; there are no environment files or server settings to manage. Most of this page covers these in-app settings.
  • Self-hosted (open source) — you run the Docker Compose stack and configure it through a .env file. See Self-hosted environment variables below, and Deployment for the full install.

Self-hosted deployments are configured entirely through a .env file (copied from the tracked .env.example). The defaults boot the stack for local evaluation; change every value marked REQUIRED before exposing the stack to a network, and never commit your filled-in .env.

VariablePurpose
DB_PASSWORDPostgres password; the backend builds DATABASE_URL from it
API_KEYMaster backend API key (e.g. openssl rand -hex 32)
VITE_API_KEYAPI key the frontend uses to call the backend (typically the same as API_KEY)
VariableDefaultPurpose
ENVIRONMENTproductiondevelopment | staging | production. Only use development on a trusted local machine
OSS_SINGLE_TENANT1Lets the master key admin a single org; fail-closed — disabled at startup if >1 org/member exists
LOG_LEVELinfodebug | info | warning | error
CATALOG_VERSION2025.4SCF catalogue version surfaced on /version; match your imported workbook
PLATFORM_VERSION1.0.0Application version label

Authentication (Google OAuth — optional)

Section titled “Authentication (Google OAuth — optional)”

Leave GOOGLE_AUTH_ENABLED=false to run with API-key auth only.

VariablePurpose
GOOGLE_AUTH_ENABLED / VITE_GOOGLE_AUTH_ENABLEDEnable Google sign-in (backend + frontend must match)
GOOGLE_CLIENT_ID / VITE_GOOGLE_CLIENT_IDOAuth client ID (build-time copy baked into the frontend bundle)

Leave RESEND_API_KEY blank to disable outbound email.

VariablePurpose
RESEND_API_KEYResend API key for outbound notification email
RESEND_FROM_EMAILFrom address on notification emails
APP_URLPublic frontend URL used in email links

Defaults to the bundled MinIO container — no cloud account needed. See Deployment → Evidence storage for the AWS S3 and Azure Blob escape hatches.

VariableDefaultPurpose
AWS_ENDPOINT_URLhttp://minio:9000Internal S3 endpoint; blank = use real AWS S3
EVIDENCE_PUBLIC_ENDPOINThttp://localhost:9000Browser-facing endpoint for presigned URLs
EVIDENCE_BUCKETevidenceBucket name
MINIO_ROOT_USER / MINIO_ROOT_PASSWORDminioadmin / changeme-…Bundled MinIO credentials
AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEYmatches MinIO credsS3 credentials the backend uses
AWS_DEFAULT_REGIONeu-west-1S3 region
AZURE_STORAGE_ACCOUNT_NAME / AZURE_STORAGE_ACCOUNT_KEYAzure Blob (takes priority over S3 when set)
EVIDENCE_CONTAINERevidenceAzure container name
VariablePurpose
ANTHROPIC_API_KEYEnables AI-assisted evidence / window assessment
HIBP_API_KEY, NVD_API_KEYThird-party breach / vulnerability lookups for vendor research
APPLICATIONINSIGHTS_CONNECTION_STRINGTelemetry export
SCF_XLSXPath to your SCF workbook for the catalogue importer (default ./catalog-source/scf.xlsx)

Organisation administrators can configure:

SettingDescriptionAccess
Organisation NameDisplay name for your organisationAdmin only
Primary FrameworkDefault compliance framework for dashboard metricsAdmin only
User RolesAssign roles to team membersAdmin only

Individual users can configure:

SettingDescription
Notification PreferencesEmail notification settings
Display PreferencesUI preferences (if available)

The platform uses Google Sign-In for secure authentication. No configuration is required on your part.

Account TypeExampleNotes
Google Workspaceyou@company.comRecommended for organisations
Personal Gmailyou@gmail.comWorks for individuals and small teams
Google Cloud Identityyou@domain.comFor organisations without full Workspace
  1. User clicks “Sign in with Google”
  2. Google authenticates the user
  3. Platform receives user identity (email, name, profile picture)
  4. User is granted access based on their organisation membership

The platform sends email notifications for:

Notification TypeTrigger
User InvitationsWhen invited to join an organisation
Task AssignmentWhen assigned to a control or task
Due RemindersBefore task due dates
Overdue AlertsWhen tasks pass their due date
@MentionsWhen mentioned in comments

  • All data is stored securely in the cloud
  • Data is encrypted at rest and in transit
  • Regular automated backups are performed
  • Multi-region redundancy for high availability
  • Active data is retained as long as your subscription is active
  • Backups are retained according to our data retention policy
  • You can export your data at any time via the backup feature

FeatureDescription
Google OAuthSecure authentication via Google
Role-Based AccessAdmin, Editor, Viewer roles (enforcement coming soon)
Organisation IsolationEach organisation’s data is completely separate
  • HTTPS Only — All connections are encrypted
  • OAuth 2.0 — Industry-standard authentication
  • Session Management — Automatic session timeout for security
  • Audit Logging — All actions are logged for compliance

The platform currently supports:

IntegrationPurpose
Google Sign-InUser authentication
Email (Resend)Notification delivery

Additional integrations are planned for future releases:

  • SIEM/SOAR integration
  • Ticketing system integration (Jira, ServiceNow)
  • Single Sign-On (SSO) providers
  • API access for automation

Access via the Database button in the header:

FeatureDescription
Download BackupExport all your data as a JSON file
Restore from BackupUpload a previous backup to restore data

Backups include:

  • All scoped controls and their status
  • Evidence tracking configurations
  • Users and organisation settings
  • Assignments, comments, and tasks
  • Notification history
  • SCF catalog data (this is reference data provided by the platform)
  • System configuration (managed by the platform)

The platform version is displayed:

  • In the footer of each page
  • In the Database Health & Statistics popup
ComponentDescription
Platform VersionApplication version number
API VersionBackend API version
Catalog VersionSCF Controls Catalog version

ResourcePurpose
This DocumentationSelf-service help and guides
In-App SupportContact support from within the platform
Email Supportsupport@scfcontrolsplatform.com

When reporting issues, include:

  • Browser type and version
  • Steps to reproduce the problem
  • Any error messages shown
  • Screenshots if applicable