Security & Compliance

Spara is built to be enterprise-grade, so security and compliance are paramount to us.

What compliance frameworks does Spara conform to and audit?

Spara is SOC 2 Type II and GDPR compliant. Please visit our Trust Center for:

• Latest reports

• Company policies

• Subprocessor information and notification subscription

What is Spara's privacy policy?

Spara's privacy policy is available on our website at spara.co/privacy.

Where is Spara hosted?

We are hosted on Google Cloud, which is backed by the same infrastructure and security that Google uses for its own services.

Customer data is stored in U.S. data centers. Some data (HTML pages & assets) may be cached in other geographies by our CDN. Access to private content through our CDN is always validated through our application servers using a complex permissions system.

Google follows or even leads most of the industry's best-practices and is compliant with most major security standards and certifications.

Is customer data encrypted?

Yes, all customer data is encrypted at rest and in-transit via Cloudflare. At rest on Google Cloud Platform, using multiple layers of AES256-AES128.

How does Spara handle PII?

PII is only stored on our production database with strict RBAC. All data is anonymized before porting to lower environments.

How are users authenticated?

Spara supports SSO/SAML authentication as well as email/password authentication. In the case of email/password authentication Spara requires the password to be:

• At least 8 characters long.

• At least one uppercase character

• At least one lowercase character

• At least one number

• Not be a known compromised password

Are inactive user automatically logged out of Spara Platform?

Yes. By default, inactive users are logged out after 24 hours of inactivity. You can update this setting to any length of time in order to comply with your company's compliance mandate.