Data storage
Sprintlio is hosted by an industry leader in on-demand cloud computing. Our data centers feature 24/7 manned security, video surveillance, multi-factor authentication locks, and biometric access control. Each data center is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).
Hosted in the USA
Sprintlio exclusively uses data centers located in the United States. For security reasons, we do not publicly disclose the specific locations of our data centers. Our data centers are specifically selected for their ideal geographic assessments to mitigate environmental risks such as flooding, extreme weather, and seismic activity.
High availability
Sprintlio services use properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Securely backed up
Sprintlio keeps encrypted backups of data. In the case of production data loss, while unexpected, we will restore organizational data from these backups. Sprintlio captures a full backup of customer data every 24 hours. Backups are maintained for 7 days, after which point they and all the data contained therein are securely destroyed. All backups are encrypted prior to storage.
Comprehensive logging
We keep comprehensive transactional logs of actions in the system that we monitor to prevent unauthorized access. For security reasons, we do not publicly disclose which vendors we use for logging and error tracing.
Data we collect
To learn more about the data we collect, please see section 3 of our privacy policy.
Platform security
Sprintlio is hosted on by a world-renowned cloud-based application hosting platform. All requests on the platform are logged and indexed, and include originating IP information. All connections to the platform default to using TLS. Certificates use RSA keys with a 2048-bit modulus and SHA-256.
Security monitoring
Sprintlio uses security monitoring solutions to maintain visibility into our application security, identify attacks and respond quickly to a data breach. Sprintlio uses technologies to monitor exceptions, logs and detect anomalies in the application. Sprintlio collects and stores logs to provide an audit trail of our applications activity. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
Encryption
Sprintlio uses industry standards of HTTPS, 256-bit SSL, AES, with all databases encrypted at REST. Additionally, for credentials, all secrets are stored in an encrypted database that has restricted access. Network communications cannot be viewed or accessed by third parties. We use the same type and degree of encryption as financial institutions.
Authentication
All authentication functions for Sprintlio or made within the Sprintlio website are captured and stored securely by Auth0 following international OAuth standards. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Auth0 never stores passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion are encrypted. Additionally, all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES128GCM and uses ECDHE_RSA as the key exchange mechanism. Auth0 is built on tested, verified identity standards including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs). Learn more about Auth0 security and privacy.
Single Sign On (SSO)
Users also have the option of authenticating via Single Sign On (SSO) to extend their internal verification processes to Sprintlio. We aggressively monitor linked accounts and will disable them with any reasonable sign that the account’s access has been revoked. SSO also improves the user experience by streamlining login processes and improving access from trusted domains. If there is an SSO option you’d prefer to use for your company, please contact [email protected] with the request.
User verification
Sprintlio requires email verification during account creation and password resets. Users are required to verify ownership of the email address they provide via a link provided in an automated email from Sprintlio. All users must be authenticated prior to gaining any access to Sprintlio’s services.
Password protection
Per the Authentication section above, all Sprintlio authentication functions are captured and stored securely by Auth0. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Learn more about Auth0 security and privacy.
Secure payments
All subscriptions and payments for Sprintlio or made within the Sprintlio website are captured and stored securely by Stripe. Stripe has been audited by a PCI-certified author and was categorized as having the most stringent level of certification available in the payments industry: PCI Service Provider Level 1. Additionally, Stripe forces HTTPS for all services using TLS (SSL) and encrypts all card numbers on disk with AES-256 with decryption keys stored on separate machines. Learn more about Stripe security and privacy.
Secure development
Sprintlio developers use industry-standard security best practices and frameworks (OWASP Top 10, SANS Top 25) to ensure the highest level of security in our software. Our developers participate in regular security training to learn about common vulnerabilities and threats. Our developers review our code for security vulnerabilities. Our developers regularly update our dependencies and make sure none of them has known vulnerabilities. Our developers use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase. Our developers use Dynamic Application Security Testing (DAST) to scan our applications. Sprintlio uses additional security monitoring solutions to more efficiently remediate vulnerabilities that were triggered by security tests, audits, and more which also notify of application components with known vulnerabilities are used in production (dependencies).
Access to your data
Your business’ data remains private to you and is only accessible to those you choose to share it with. In limited circumstances including where required by law or for technical support, specific Sprintlio personnel are able to access live or backup data, production systems, or information security systems. Full details can be found in the Sprintlio Privacy Policy.
Security headers
Sprintlio uses security headers to protect our users from attacks. You can check our app's grade on SecurityHeaders.io.
Risk assessment
We perform periodic risk assessments to identify any possible security or system vulnerabilities, and similar to penetration testing, we resolve all high priority and critical issues within a maximum of 7 business days.
Downtime reporting
In the uncommon event of planned downtime, customers will be notified by email at least 24 hours in advance. The platform mitigates the need for downtime or common system upgrades that require outages.
Disaster recovery
Sprintlio keeps encrypted backups of data. In the case of production data loss, while unexpected, we will restore organizational data from these backups. Sprintlio captures a full backup of customer data every 24 hours which is encrypted prior to storage. Backups are maintained for 7 days, after which point they and all the data contained therein are securely destroyed. The Sprintlio team is alerted in case of a failure with this system.
Incident management
Suspected security or privacy incidents via technical, physical, or logical means should be immediately reported to [email protected] for ticketing and resolution management.
Security Testing
We seek out and proactively address vulnerabilities and exposures in Sprintlio's code and dependencies through automated tools, peer-review, scheduled vulnerability evaluations, and more. We do not have a public bug bounty program. As a user, if you would like to report a vulnerability, or have any security concerns with a Sprintlio product, please e-mail [email protected]. Please include a proof of concept, the tools used (including versions), and tool output when reporting. We take all disclosures very seriously and will do our best to respond and verify the vulnerability before taking the necessary steps to fix it. After our initial reply to your disclosure, which should be directly after receiving it, we will periodically update you with the status of the fix.
General Data Protection Regulation (GDPR)
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.
Secure coding
Sprintlio practices continuous delivery. This means that all code changes are committed, tested, shipped, and iterated on in a rapid sequence. Our continuous delivery methodology, complemented by continuous integration, and automated error tracking, largely decrease the likelihood of security issues and improve the internal response time to, and the effective eradication of bugs and vulnerabilities.