Security & Accessibility

Our Commitment to Data Privacy and Security

At GoSprout, we highly value your data privacy and security. Below, we outline the steps we've taken to ensure privacy and security. This is not a legally binding document, and over time, parts of this statement may become inaccurate. For up-to-date summaries of our current privacy and security measures, please contact us at info@gosprout.app.

Data Privacy and Terms of Service

GoSprout's Terms of Service can be found here. The key parts of it, as it relates to privacy and security, are:

• GoSprout does not resell any data to third parties. Any use of the data is for the sole purpose of providing and enhancing the service.
• We take all reasonable measures to protect user data and conform to software security best practices, including use of encryption, firewalls, and limited access to production data.

Any use of GoSprout is governed by these terms of service. However, any contract we enter into can add to or supersede any other existing terms, at the discretion of the customer.

GDPR Readiness

The European Union General Data Protection Regulation (GDPR) is an important change in data privacy regulations which had a major influence on how technology companies can operate in the European Union. Since the GDPR regulations are among the most user-friendly in the world in terms of giving users control over what companies can do with their data, the regulations have become an important privacy and data-handling benchmark. Complying with regulations requires that companies provide users some important protections and functionality, like allowing users to delete their data from a system. GoSprout has the necessary capabilities to make it fully GDPR compliant.

Security

The Company maintains a formalized information security policy to comply with various regulatory and business requirements. This security policy protects all sensitive and confidential data stored, accessed, or transmitted by our software platform, including its applications, components, infrastructure, and underlying code.

The Company has designed a risk assessment program to assess the organization’s enterprise-level risk at least annually or upon significant changes to the environment. This program is designed to identify and assess threats to and vulnerabilities in systems and in service.

The Company takes responsibility for implementing appropriate technical and organizational safeguards to ensure the protection of sensitive information. Employees of the Company are required to read and accept the terms of a confidentiality agreement upon hire that states they are prohibited from disclosing any company data from the systems and system components to which they have access.

The Company maintains strict control access to restrict private information to privileged users. These users are required to abide by their assigned responsibilities related to their elevated access.

The Company has established a Data Handling, Retention, and Disposal Program to manage information in accordance with applicable laws, regulations, policies, and standards. This program establishes a formal data retention schedule and implements a data classification standard to ensure the confidential data is secured.

The Company retains sensitive and confidential data only for as long as necessary to fulfill its purposes unless otherwise required by law or to meet legal and client contractual obligations.

The Company segments its network to prevent direct or unauthorized connections between an external network and its information systems, in particular confidential data in cloud environments.

The Company maintains a vulnerability management program to ensure the confidentiality, integrity, and availability (CIA) of the organization’s information systems landscape, which includes all critical system resources. The program includes internal and external scans, penetration testing, and issue remediation for the purposes of identifying, detecting, classifying, prioritizing, remediating, validating, and continuously monitoring vulnerabilities.

The Company conducts independent third-party penetration tests at least annually on any systems with Confidential data or with a critical risk rating to identify security vulnerabilities.

Software Security

The GoSprout application is developed using the currently accepted best practices for applications dealing with sensitive information and deployed on the Internet for access by end-users and partners, including encryption and highly restricted access to the development, deployment, and data storage environments. This includes following the OWASP Top 10 recommendations for web application security. All user passwords are encrypted with the industry best-of-breed Bcrypt algorithm. GoSprout successfully passed all manual and automated audits and security scans of our application by a number of IT departments.

Infrastructure Security 

GoSprout employs many best practices for securing networks and servers:

• All public traffic is encrypted using SSL/TLS with 256 bit encryption.
• GoSprout application and database servers are protected by multiple firewalls, with external WAN access as well as internal LAN restrictions.
• Server access is granted only to those employees who need it. GoSprout's platform itself maintains all access logs, and every action by every Application user is recorded.
• All servers run within a Virtual Private Network (Amazon Virtual Private Cloud), further isolating and securing servers.
  
  

Physical Security

GoSprout is hosted using Amazon Web Services (AWS). AWS data centers conform to the highest standards of physical security and processes and have achieved ISO 27001, ISO 9001, SOC 3 and other certifications. Please refer to AWS security infrastructure information documentation at http://aws.amazon.com/security/ and http://aws.amazon.com/compliance/ for additional details.

Data Security

Users' data are automatically backed up at regular intervals to redundant backup storage . All data is maintained for a period of 5 years. GoSprout can provide a data dump or delete data as requested from the customer. Backups and snapshots are encrypted on disk.

• We host our services in the US-East data centers of Amazon.
• We build applications which are not susceptible to SQL injection.
• We test all data input for cross-site scripting vulnerabilities (xxs).
• We create daily backups of all production data stored separately from application servers.
• Multiple code backups exist in the form of git repositories .
• Under extreme circumstances, should our production server become unavailable, we can bring up another server to production in a relatively short period of time.

Firewall

GoSprout applications are hosted on comprehensively firewalled servers. These firewalls default to disabling any unsupported access mechanism and are carefully configured to only allow access for known services. We build on top of the well-defined and implemented security policies of the AWS services we depend on.

Data Integrity and Disaster Recovery

GoSprout is architected for High Availability and 100% uptime. User data is backed up frequently. Recovery from backups is tested regularly and is in fact part of the normal server deployment process, ensuring that, even in the event of serious malfunctions (such as data center issues), service can be restored quickly.

Breach Notification

We deploy host intrusion detection to monitor our servers. We also look for our service providers to provide us timely notification of breaches and work with us. If a security breach occurs, we will work with our customers and users to notify them in a timely manner. GoSprout is covered for breaches under our Professional Liability insurance policy. 

Personal Identifiable Information (PII)

At GoSprout, we prioritize the privacy and security of Personal Identifiable Information (PII) in line with industry best practices and compliance with global data protection regulations. Our PII controls framework is designed to ensure the integrity, confidentiality, and availability of personal data we handle.

Here is a summary of our core PII controls:

1. Data Minimization and Purpose Limitation: We strictly collect only the PII necessary for apprenticeship management, ensuring data is not kept longer than needed.
2. Access Controls: Access to PII is restricted to authorized personnel through secure encrypted token base authentication mechanisms. We employ role-based access controls (RBAC) to ensure individuals have access only to the data necessary for their job functions.
3. Encryption and Data Masking: All PII stored by GoSprout is encrypted using Blowfish encryption algorithm. Data masking techniques are applied to protect sensitive information during analytics and user experience monitoring.
4. Anonymization: Wherever possible, we anonymize PII to eliminate or reduce privacy risks to individuals, ensuring data cannot be linked back to an identifiable person.
5. Regular Security Audits: GoSprout conducts regular security audits and vulnerability assessments to identify and mitigate risks, ensuring continuous improvement of our PII controls.
6. Incident Response and Notification: We have a comprehensive incident response plan to promptly address data breaches or unauthorized access, We monitor for these incidents through our monitoring platform which includes timely notification to affected parties and regulatory bodies as required.
7. Employee Training: All employees receive regular training on data protection and privacy policies to reinforce the responsible handling of PII.
8. Compliance with Privacy Laws: Our PII controls are designed to comply with applicable privacy laws and regulations, including CCPA, and others, ensuring we meet our legal and ethical obligations.

GoSprout is committed to maintaining the highest standards of privacy and security for our clients' data. Our dedicated team continuously monitors and updates our practices to address emerging threats and regulatory changes.