Security
Protecting customer data is a top priority at Sprig. You can trust us to keep your data secure and meet your compliance requirements.
Enterprise-level protection
Sprig is SOC2 Type II certified.
An independent body has audited our compliance with this standard and issued our certification and report.
GDPR & privacy compliance is critical for businesses to be able to function today. Sprig is GDPR and CCPA compliant, and also enables your business to choose your own compliance preferences.
Sprig complies with the EU/Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.
Sprig uses Amazon Web Services (AWS) facilities in the USA to hosts its software. You can see Amazon’s compliance and security documents for more detailed information, including SOC 13 and ISO 27001.
Sprig’s servers are located within our own virtual private cloud (VPC), protected by restricted security groups. We ensure that only the minimal required communication occurs between servers.
Sprig conducts third-party network vulnerability scans annually.
The web application architecture and implementation follow OWASP guidelines. They are built in Java using the Spring Security framework.
Sprig undergoes pentests 2x per year. Results are available upon request.
Sprig supports SSO using SAML (Okta, OneLogin, Rippling), G-Suite, Office 365, Salesforce.
User passwords are salted, irreversibly hashed, and stored in our database. Audit logging lets administrators see when users last logged in or when they last changed their password.
Access to Sprig applications are logged, audited, and kept for at least one year.
All connections to Sprig are encrypted using SSL. Attempts to connect over HTTP is redirected to HTTPS. We maintain A+ grade for Qualys/SSL Labs.
All customer data is encrypted at rest and in transit, and purged from Sprig systems subsequent to contract termination.
System passwords are encrypted using AWS KMS. Access is restricted, and implemented using VPN with Active Directory authentication.
Industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors are used.
Including the Limited Use requirements, information received from Google APIs will adhere to Google API Services User Data Policy.
Sprig conducts mandatory code reviews for code changes and periodic and in-depth security reviews. Sprig's testing and development environments are separated from its production environment.
Background screening is conducted for all new hires.
Every year, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Sprig security controls.
Sprig does not track PII.
Sprig maintains a formal response plan for significant incidents.
Reliable. Secure. Compliant.
You can find Sprig’s system availability details, scheduled maintenance, history of service events, and any relevant security incidents on its publicly available system status page. Sprig will provide SDK source code for enterprise partners.
Data security is a top priority for Sprig, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Sprig’s service, please notify us.