Security

Sprintlio is built with state of the art security to protect your business, team, and data.

Data

Data storage

Sprintlio is hosted on Amazon Web Services (AWS), a comprehensive, evolving cloud computing platform provided by Amazon. Our data centers feature 24/7 manned security, video surveillance, multi-factor authentication locks, and biometric access control. Each data center is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about Amazon Web Services (AWS) security and privacy.

Hosted in the USA

Sprintlio exclusively uses data centers located in the United States. For security reasons, we do not publicly disclose the specific locations of our data centers. Our data centers are specifically selected for their ideal geographic assessments to mitigate environmental risks such as flooding, extreme weather, and seismic activity.

High availability

Sprintlio services use properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Securely backed up

Sprintlio keeps encrypted backups of data on Amazon Web Services (AWS). In the case of production data loss, while unexpected, we will restore organizational data from these backups. Sprintlio captures a full backup of customer data every 24 hours. Backups are maintained for 7 days, after which point they and all the data contained therein are securely destroyed. All backups are encrypted prior to storage.

Comprehensive logging

We keep comprehensive transactional logs of actions in the system that we monitor to prevent unauthorized access. For security reasons, we do not publicly disclose which vendors we use for logging and error tracing.

Application

Platform security

Sprintlio is hosted on the Pivotal Web Services (“PWS”) platform, a cloud based application hosting platform, managed and operated by Pivotal and hosted on Amazon Web Services (“AWS”) in the United States. PWS is a hosted version of the open source Cloud Foundry platform-as-a-service software. All requests on the PWS platform are logged and indexed, and include originating IP information. All connections to the PWS platform default to using TLS. Certificates use RSA keys with a 2048-bit modulus and SHA-256. Learn more about Pivotal Web Services security and privacy.

Encryption

Sprintlio uses industry standards of HTTPS, 256-bit SSL, AES, with all databases encrypted at REST. Additionally, for credentials, all secrets are stored in an encrypted database that has restricted access. Network communications cannot be viewed or accessed by third parties. We use the same type and degree of encryption as financial institutions.

Authentication

All authentication functions for Sprintlio or made within the Sprintlio website are captured and stored securely by Auth0 following international OAuth standards. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Auth0 never stores passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion are encrypted. Additionally, all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES128GCM and uses ECDHE_RSA as the key exchange mechanism. Auth0 is built on tested, verified identity standards including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs). Learn more about Auth0 security and privacy.

Single Sign On (SSO)

Users also have the option of authenticating via Single Sign On (SSO) to extend their internal verification processes to Sprintlio. We aggressively monitor linked accounts and will disable them with any reasonable sign that the account’s access has been revoked. SSO also improves the user experience by streamlining login processes and improving access from trusted domains. If there is an SSO option you’d prefer to use for your company, please contact [email protected] with the request.

User verification

Sprintlio requires email verification during account creation and password resets. Users are required to verify ownership of the email address they provide via a link provided in an automated email from Sprintlio. All users must be authenticated prior to gaining any access to Sprintlio’s services.

Password protection

Per the Authentication section above, all Sprintlio authentication functions are captured and stored securely by Auth0. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Learn more about Auth0 security and privacy.

Secure payments

All subscriptions and payments for Sprintlio or made within the Sprintlio website are captured and stored securely by Stripe. Stripe has been audited by a PCI-certified author and was categorized as having the most stringent level of certification available in the payments industry: PCI Service Provider Level 1. Additionally, Stripe forces HTTPS for all services using TLS (SSL) and encrypts all card numbers on disk with AES-256 with decryption keys stored on separate machines. Learn more about Stripe security and privacy.

Infrastructure

Access to your data

Your business’ data remains private to you and is only accessible to those you choose to share it with. In limited circumstances including where required by law or for technical support, specific Sprintlio personnel are able to access live or backup data, production systems, or information security systems. Full details can be found in the Sprintlio Privacy Policy.

Risk assessment

We perform periodic risk assessments to identify any possible security or system vulnerabilities, and similar to penetration testing, we resolve all high priority and critical issues within a maximum of 7 business days.

Downtime reporting

In the uncommon event of planned downtime, customers will be notified by email at least 24 hours in advance. The platform mitigates the need for downtime or common system upgrades that require outages.

Incident management

Suspected security or privacy incidents via technical, physical, or logical means should be immediately reported to [email protected] for ticketing and resolution management.

Corporate

General Data Protection Regulation (GDPR)

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Secure coding

Sprintlio practices continuous delivery. This means that all code changes are committed, tested, shipped, and iterated on in a rapid sequence. Our continuous delivery methodology, complemented by continuous integration, and automated error tracking, largely decrease the likelihood of security issues and improve the internal response time to, and the effective eradication of bugs and vulnerabilities.

Copyright Sprintlio Inc. 2019. All rights reserved.

We use cookies to enhance your experience. To learn more about cookies and how to opt out, please visit our privacy policy. By continuing to use our site, you consent to our use of cookies.