Security

Protecting customer data is a top priority at Sprig. 
You can trust us to keep your data secure and meet 
your compliance requirements.

Enterprise-level protection

Certifications

Sprig is SOC2 Type II certified. A report is available upon request.

Sprig has a certification for compliance with ISO/IEC 27001:2013. An independent body has audited our compliance with this standard and issued our ISO 27001:2013 certificate.

GDPR

GDPR & privacy compliance is critical for businesses to be able to function today. Sprig is GDPR and CCPA compliant, and also enables your business to choose your own compliance preferences.

Sprig complies with the EU/Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries/Switzerland.

Data & Network Security

Sprig uses Amazon Web Services (AWS) facilities in the USA to hosts its software. You can see Amazon’s compliance and security documents for more detailed information, including SOC 13 and ISO 27001.

Sprig’s servers are located within our own virtual private cloud (VPC), protected by restricted security groups. We ensure that only the minimal required communication occurs between servers.

Sprig conducts third-party network vulnerability scans annually.

Application Security

The web application architecture and implementation follow OWASP guidelines. They are built in Java using the Spring Security framework.

Sprig undergoes pentests 2x per year. Results are available upon request.

Sprig supports SSO using SAML (Okta, OneLogin, Rippling), G-Suite, Office 365, Salesforce.

User passwords are salted, irreversibly hashed, and stored in our database. Audit logging lets administrators see when users last logged in or when they last changed their password.

Access to Sprig applications are logged, audited, and kept for at least one year.

Data Security

All connections to Sprig are encrypted using SSL. Attempts to connect over HTTP is redirected to HTTPS. We maintain A+ grade for Qualys/SSL Labs.

All customer data is encrypted at rest and in transit, and purged from Sprig systems subsequent to contract termination.

System passwords are encrypted using AWS KMS. Access is restricted, and implemented using VPN with Active Directory authentication.

Industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors are used.

Including the Limited Use requirements, information received from Google APIs will adhere to Google API Services User Data Policy.

Security Policies

Sprig conducts mandatory code reviews for code changes and periodic and in-depth security reviews. Sprig's testing and development environments are separated from its production environment.

Background screening is conducted for all new hires.

Every year, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Sprig security controls.

Sprig does not track PII.

Sprig maintains a formal response plan for significant incidents.

Trusted by the world’s most 
innovative companies

Reliable. Secure. Compliant.

You can find Sprig’s system availability details, scheduled maintenance, history of service events, and any relevant security incidents on its publically available system status page. Sprig will provide SDK source code for enterprise partners.

Data security is a top priority for Sprig, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Sprig’s service, please notify us per our Responsible Disclosure Policy.

Your customer data is safe with us

We take security seriously.

Launch a Sprig in minutes. 
See insights within hours.

Create your free account to conduct interviews, test designs, and survey 
specific users within your product, on your website, and more.