Our customers ask us about SparkPost’s security posture on a routine basis. As a general rule we don’t want to expose detailed information about our security program because we don’t want to provide intelligence to bad actors. However, we realize information security is imperative and our customers need to know that we are employing a security program to protect their information. To this end, we have outlined at a high level the measures we take to protect our customer’s data.
SparkPost is SSAE-16 SOC II Type 2 Certified. We have certified both our cloud and corporate environments. In our effort to constantly improve our security posture, we are now turning our attention to ISO 27001 and beginning the process to secure this next level of assessment and certification.
Data Center Security
- We leverage Amazon Web Services (AWS) to provide infrastructure services to host our environment.
- By using AWS, SparkPost is able to take advantage of their sophisticated security environment, logging, identity and intrusion protection systems and focus on our software and your data.
- AWS has a robust DDOS team constantly monitoring their data centers.
- SparkPost utilizes an exercised Business Continuity and Disaster Recovery Plan to ensure your data and business continue in the event of a natural disaster.
Application Level Security
- We allow customers to use two-factor authentication (2FA), passwords, and SAML to manage access to their account.
- SparkPost routinely scans its applications for vulnerabilities and security issues and we promptly remediate any issues we find.
- SparkPost encrypts with SSL, HTTPS, and TLS.
- We manage to OWASP and CERT vulnerability standards.
- We use a third party to conduct internal and external penetration testing to validate our perimeter and internal defensive posture annually.
Culture of Security
- We have a VP of Compliance and IT Security with over 20 years of experience in enterprise-level information security. You can read all about him here. He has a team of security engineers whose full-time job is to keep SparkPost secure.
- We a have security policy for securing the integrity, confidentiality, and availability of customer data and protecting customer data against any unauthorized or unlawful acquisition, access, use, disclosure, or destruction.
- All of our employees with access to confidential information or customer data are required to read and acknowledge our security policy.
- We conduct annual security awareness training and quarterly threat briefings to ensure our team is aware of the latest attack trends.
- We conduct annual background checks on all of our employees.
- Our security team is involved throughout our development and operations processes and cycles to ensure we bake security into the product and environment.
- Our offices are kept secure at all times.
About bug bounties and vulnerability disclosures
SparkPost appreciates security researchers contacting SparkPost to disclose any vulnerability or misconfiguration found on SparkPost owned infrastructure and/or services. SparkPost however does not reactively engage with these individuals, especially in the case they are testing SparkPost owned infrastructure and/or services without permission and with the aim to obtain any kind of recognition and/or compensation for such disclosure(s).
We want to ensure we’re sending email people want to receive. Therefore, we have a dedicated team to ensure we’re on the cutting edge of compliance and delivery. If we see accounts with signs of suspicious activity, we take immediate action. While we work hard to keep spam out of our system, if you see any spam being delivered from our platform, please contact us here.
Investing in Your Privacy
- Our General Counsel and Data Protection Officer works with our developers to make sure our services comply with applicable international spam and privacy laws.
- SparkPost is GDPR-ready and Privacy Shield certified.
- We retain a leading international law firm to advise us on EU privacy issues, practices, and policies.
- We never sell your recipient email addresses.
SparkPost has established a comprehensive insurance program that works in conjunction with our security program. This program has been designed to provide coverage for a wide variety of business, technology and security issues and SparkPost only works with highly reputable and highly rated insurance carriers.
v1.0 April 2, 2018