Sprintlio is hosted on Amazon Web Services (AWS), a comprehensive, evolving cloud computing platform provided by Amazon. Our data centers feature 24/7 manned security, video surveillance, multi-factor authentication locks, and biometric access control. Each data center is accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about Amazon Web Services (AWS) security and privacy.
Hosted in the USA
Sprintlio exclusively uses data centers located in the United States. For security reasons, we do not publicly disclose the specific locations of our data centers. Our data centers are specifically selected for their ideal geographic assessments to mitigate environmental risks such as flooding, extreme weather, and seismic activity. All third party services that support Sprintlio also base their data in the United States.
Sprintlio services use properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Securely backed up
Sprintlio keeps encrypted backups of data on Amazon Web Services (AWS). In the case of production data loss, while unexpected, we will restore organizational data from these backups. Sprintlio captures a full backup of customer data every 24 hours. Backups are maintained for 7 days, after which point they and all the data contained therein are securely destroyed. All backups are encrypted prior to storage.
We keep comprehensive transactional logs of every action on the system that we monitor to prevent unauthorized access. For security reasons, we do not publicly disclose which vendors we use for logging and error tracing.
Sprintlio is hosted on the Pivotal Web Services (“PWS”) platform, a cloud based application hosting platform, managed and operated by Pivotal and hosted on Amazon Web Services (“AWS”) in the United States. PWS is a hosted version of the open source Cloud Foundry platform-as-a-service software. All requests to the PWS platform are logged and indexed, and include originating IP information. All connections to the PWS platform default to using TLS. Certificates use RSA keys with a 2048-bit modulus and SHA-256. Learn more about Pivotal Web Services security and privacy.
Sprintlio uses industry standards of HTTPS, 256-bit SSL, AES, with all databases encrypted at REST. Additionally, for credentials, all secrets are stored in an encrypted database that has restricted access. Network communications cannot be viewed or accessed by third parties. We use the same type and degree of encryption as financial institutions.
All authentication functions for Sprintlio or made within the Sprintlio website are captured and stored securely by Auth0 following international OAuth standards. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Auth0 never stores passwords as clear text - they are always hashed (and salted) securely using bcrypt. Both data at rest and in motion are encrypted. Additionally, all network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES128GCM and uses ECDHE_RSA as the key exchange mechanism. Auth0 is built on tested, verified identity standards including LDAP, SAML, OAuth, OpenID, OpenID Connect, and JSON Web Tokens (JWTs). Learn more about Auth0 security and privacy.
Single Sign On (SSO)
Users also have the option of authenticating via Single Sign On (SSO) to extend their internal verification processes to Sprintlio. We aggressively monitor linked accounts and will disable them with any reasonable sign that the account’s access has been revoked. SSO also improves the user experience by streamlining login processes and improving access from trusted domains. If there is an SSO option you’d prefer to use for your company, please contact [email protected] with the request.
Sprintlio requires email verification during account creation and password resets. Users are required to verify ownership of the email address they provide via a link provided in an automated email from Sprintlio. All users must be authenticated prior to gaining any access to Sprintlio’s services.
Per the Authentication section above, all Sprintlio authentication functions are captured and stored securely by Auth0. Auth0 scored A+ on Qualsys’ SSL Labs’ server test for their comprehensive encryption practices. Learn more about Auth0 security and privacy.
All subscriptions and payments for Sprintlio or made within the Sprintlio website are captured and stored securely by Stripe. Stripe has been audited by a PCI-certified author and was categorized as having the most stringent level of certification available in the payments industry: PCI Service Provider Level 1. Additionally, Stripe forces HTTPS for all services using TLS (SSL) and encrypts all card numbers on disk with AES-256 with decryption keys stored on separate machines. Learn more about Stripe security and privacy.
Access to your data
We commission periodic third party independent penetration testing to evaluate the security of the Sprintlio platform. Information about any security vulnerabilities successfully exploited through penetration testing is used to set migration and remediation priorities. All high and critical issues are resolved within a maximum of 7 business days.
We commission annual risk assessments to identify any possible security or system vulnerabilities, and similar to penetration testing, we resolve all high priority and critical issues within a maximum of 7 business days.
In the uncommon event of downtime, customers will be notified by email at least 24 hours in advance. The platform mitigates the need for downtime or common system upgrades that require outages.
Suspected security or privacy incidents via technical, physical, or logical means should be immediately reported to [email protected] for ticketing and resolution management. Sprintlio also maintains a group of specialists on retainer to assist in the event of any intrusions, breaches, DDoS attacks, or other issues.
General Data Protection Regulation (GDPR)
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.
All Sprintlio employees have had comprehensive background checks by an independent third party prior to receiving their offer. Additionally, management performs reference checks on all applicants prior to employment. Upon termination, management immediately revokes production server connection privileges and updates all relevant credentials accordingly.
Sprintlio practices continuous delivery. This means that all code changes are committed, tested, shipped, and iterated on in a rapid sequence. Our continuous delivery methodology, complemented by continuous integration, and automated error tracking, largely decrease the likelihood of security issues and improve the internal response time to, and the effective eradication of bugs and vulnerabilities.
All new employees receive onboarding and systems training with respect to environment and permissions setup, formal software development training, security policies review, company policies review, and corporate values and ethics.