Security Policy

 

SproutLoud maintains an SOC2 accreditation and performs an annual third-party audit to ensure SOC2 compliance to prevailing data security standards and processes.  This page provides an overview of SproutLoud’s standard processes concerning compliance and data security, which may be updated from time to time based on the reasonable discretion of SproutLoud.

A copy of our most recent SOC2 audit is available upon request for our Brand clients.

For SproutLoud Client on an Enterprise License who provide transfers concerning GDPR, CCPA, Protected Health Information, or Sensitive PII, SproutLoud offers a Data Protection Agreement (DPA).

For any customer providing Protected Health Information, a customer must enter into a Business Associate Agreement.

Customers providing PII information to SproutLoud affected by CCPA or GDPR must sign a Data Processing Agreement.

 

Physical Infrastructure

The SproutLoud Engine is hosted on a combination of a Private Cloud hosted at our co-location 365 Data Centers, as well as Google’s Cloud Platform. Our data center partners continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

SproutLoud ensures that any Cloud Service partners have been at minimum accredited under:

  • ISO 27001 and ISO 27017
  • SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI DSS Level 1
  • HIPAA

SproutLoud ensures that any co-location data center partner has been accredited under:

  • SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI DSS 3
  • HIPAA

For additional information see:

https://cloud.google.com/security/

https://www.365datacenters.com/data-centers/

 

Data Encryption

  • All connections from the browser to the Engine are encrypted in transit using TLS 1.2 or above.
  • All data is encrypted at rest.
  • SproutLoud application user passwords are stored one way encrypted.

Vulnerability Management

We keep our systems up to date with the latest security patches and continuously monitor for new vulnerabilities through compliance and security mailing lists. This includes automatic scanning of our code repositories for vulnerable dependencies. The services are configured with tight network security constraints to further limit any potential risk. Both our data center partners and SproutLoud regularly conduct internal vulnerability assessments and patch the underlying systems.

Disaster Recovery

Upon request, SproutLoud can provide its formal disaster recovery plan.

Change Management Plan

New releases to the SproutLoud Engine are thoroughly reviewed and tested to ensure high availability and a great customer experience. Our team uses continuous integration and continuous delivery practices that include but are not limited to: code reviews by peers, automated static code analysis, merge requests,  unit tests, integration tests, and end-to-end tests.. This enables us to automatically detect issues in our development environment before general availability.

Once a changeset is completed, it is manually peer reviewed by one or more members of the engineering team. The changeset is then evaluated and manually tested by our quality assurance team to thoroughly test areas of expected impact, regression test, and further evaluate the user experience.

After a changeset is released, we continue to monitor application exceptions and log exceptions. These exceptions are regularly reviewed and triaged for resolution. Performance impacts of the changeset are monitored through several monitoring services.

Employee Screening and Other Policies

As a condition of employment, all SproutLoud employees undergo pre-employment background checks and receive training during on-boarding and throughout their employment at least annually on company policies, security, privacy, and compliance topics.

Each employee is required to read and verify they understand the following policies:

  • Acceptable Encryption Policy
  • Acceptable Use Policy
  • Clean Desk Policy
  • Data Breach Response
  • Ethics Policy
  • Information Security Requirements
  • Password Construction Guidelines
  • Password Protection Policy
  • Security Policy
  • SproutLoud Data Classification Policy

Compliance

PCI Compliance

SproutLoud uses a PCI-compliant payment processor Stripe for encrypting and storing credit card details. More information on Stripe’s commitment to security and compliance can be found here. We utilize the direct Stripe javascript integration so no credit card information is stored or transmitted over SproutLoud’s infrastructure.

https://stripe.com/docs/security/stripe

GDPR Compliance

Customers affected by GDPR are responsible for entering into a Data Processing Agreement with SproutLoud. SproutLoud understands the importance of incorporating standards put forth by the General Data Protection Regulation (GDPR) into our data practices and making sure our customers, whether citizens of the EU or businesses that use SproutLoud with European customers, feel secure and confident to continue using SproutLoud.

Other Policies

Privacy Policy

Our current privacy policy can be found here:

https://sproutloud.com/legal/privacy

List Policy

Our current list policy can be found here:

https://sproutloud.com/legal/list-policy

Anti-Spam

Our current list policy can be found here:

https://sproutloud.com/legal/anti-spam