Security & Compliance

FAQ and resources on Spara security & compliance

Spara is built to be enterprise-grade, so security and compliance are paramount to us.

What compliance frameworks does Spara conform to and audit?

Spara is SOC 2 Type II compliant. Our latest report can be viewed here.

What are Spara's security and compliance policies?

Spara's security and compliance policies can be viewed here. This policy packet includes:

  • Human Resource Security Policy

  • Code of Conduct

  • Third-Party Management Policy

  • Risk Management Policy

  • Asset Management Policy

  • Data Management Policy

  • Cryptography Policy

  • Secure Development Policy

  • Access Control Policy

  • Business Continuity and Disaster Recovery Plan

  • Operations Security Policy

  • Physical Security Policy

  • Information Security Roles and Responsibilities

  • Information Security Policy (AUP)

  • Incident Response Plan

What is Spara's privacy policy?

Spara's privacy policy is available on our website here.

Where is Spara hosted?

We are hosted on Google Cloud, which is backed by the same infrastructure and security that Google uses for its own services.

Customer data is stored in U.S. data centers. Some data (HTML pages & assets) may be cached in other geographies by our CDN. Access to private content through our CDN is always validated through our application servers using a complex permissions system.

Google follows or even leads most of the industry's best-practices and is compliant with most major security standards and certifications.

Is customer data encrypted?

Yes, all customer data is encrypted at rest and in-transit via Cloudflare. At rest on Google Cloud Platform, using multiple layers of AES256-AES128.

How does Spara handle PII?

PII is only stored on our production database with strict RBAC. All data is anonymized before porting to lower environments.

Spara will delete any customer's PII within 60 days of contract termination.

How are users authenticated?

Spara supports SSO/SAML authentication as well as email/password authentication. In the case of email/password authentication Spara requires the password to be:

  • at least 8 characters long.

  • at least one uppercase char

  • at least one lowercase char

  • at least one number

  • To not be a known compromised password

Last updated