Security testing
To ensure that our platform is built and operates securely, we engage with a third-party security firm to run penetration tests on a regular basis. The results of those tests are carefully analyzed, and any required fixes or improvements are prioritized on our roadmap.
In addition to regular penetration testing, we also have monthly automated vulnerability scanning run on our infrastructure. Further, our code repository is scanned on each code change for any vulnerable dependencies. With these measures in place, we discover and act on any misconfigurations or vulnerable dependencies extremely quickly.
Our Software Development Life Cycle Policy describes in detail the steps we take to ensure that changes in the Spot service follow strict guidelines regarding security analysis, implementation, and testing.
We're happy to share our latest reports as well as our policies on these topics. Please contact us at [email protected].
Hosting, ISO 27001, SOC 1, and SOC 2
Spot takes advantage of the scalable infrastructure of AWS (Amazon Web Services), allowing us to achieve high uptime and reliability and to ensure that your data is secure.
Our servers are located in Europe (Ireland, London, Paris). The infrastructure provided by AWS is ISO 27001, SOC 1, and SOC 2 certified.
Physical access to the data center is strictly controlled both at the perimeter and at building ingress points by professional security staff, using video surveillance, state of the art intrusion detection systems, biometric locks, and other electronic means.
For more compliance information on the AWS infrastructure on which Spot runs, you can visit AWS Security and AWS Compliance.
Data storage and removal
To minimize the chances of your information being hacked or stolen, we only store data when absolutely necessary. Conversations with Spot remain private until the reporter decides to submit the report they create.
Our Data Retention Policy and Access Control Policy (both available on request) clearly outline what happens with our customers' data and the measures we take to ensure that data is stored securely.
Spot has hourly automated backups, which are retained for 7 days. All backups are stored on encrypted storage, with access limited to key people on the Spot team.
Log data is stored for 90 days, but it doesn’t contain any personal data.
Backups are located where our servers are hosted: AWS’s EU-West 1 location (Ireland, London, Paris).
Compliance
We have a range of policies regarding information security. We're happy to share any policies and our latest reports on penetration testing and vulnerability scanning with you. Please contact us at [email protected].
Spot is fully GDPR compliant and CCPA compliant. We also have legal counsel who specialize in these areas. Here's our compliance portal:
https://trust.talktospot.com/
Spot has completed the Cloud Security Alliance's STAR Level 1 assessment. See our CSA STAR listing.
Subprocessors
We carefully vet each subprocessor and regularly re-evaluate whether our chosen subprocessors are the right fit for Spot's business. The security of our subprocessors is of the utmost importance to us.
Currently Spot uses the following subprocessors:
AWS Security
AWS Compliance
SendGrid Security
Cloudflare Compliance
Zendesk Security
Sentry Security & Compliance
Vulnerability disclosure
Spot follows industry best practices and works to maintain a responsible disclosure policy. We appreciate community help in disclosing any issues to us in a responsible and ethical manner. We will work with individuals or organizations to resolve any such concerns or issues you may identify.
We ask anyone who discloses an issue to please act in good faith towards our users’ privacy and data during your disclosure. We do not take legal action against those who disclose security concerns and act accordingly; white hat researchers are always appreciated. Obviously, certain attack patterns such as (D)DoS are not considered white hat techniques.
To report any concerns about Spot security or privacy, or to make suggestions for improvements, email us at [email protected].