Sprig uses Amazon Web Services (AWS) facilities in the USA to hosts its software. You can see Amazon’s compliance and security documents for additional details, including SOC 13 and ISO 27001.
Sprig’s servers are located within our own virtual private cloud (VPC) and protected by restricted security groups. Only the minimal required communication occurs between servers.
Sprig conducts third-party network vulnerability scans annually.
Sprig conducts mandatory code reviews for all code changes and periodic and in-depth security reviews. Sprig's testing and development environments are separated from its production environment.
Every year, Sprig’s engineers and developers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Sprig’s own security controls.
Sprig maintains a formal response plan for significant incidents.
The web application architecture and implementation follow OWASP guidelines.
Sprig undergoes third-party penetration testing annually to identify any application vulnerabilities. Results are available upon request.
User passwords are salted, irreversibly hashed, and stored in our database. Audit logging lets admins see when users last logged in or changed their password.
User access to Sprig applications are logged, audited, and kept for at least one year.
All connections to Sprig are encrypted using SSL.Attempts to connect over HTTP is redirected to HTTPS.
System passwords are encrypted using AWS KMS. Access is restricted and implemented using VPN with Active Directory authentication.
Sprig uses industry-standard data storage systems such as AWS Aurora, ClickHouse, Dynamo DB, etc., which are hosted by AWS and/or by their respective vendor.
Information received via Google APIs adheres to Google API Services User Data Policy and Limited Use rules.