Sparkcentral Security Practices
Last updated: April 21, 2021
Sparkcentral has an established security program that maintains organizational and technical controls to ensure the Confidentiality, Integrity and Availability of it’s customer data and systems. These measures take into account the sensitivity of the information Sparkcentral collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Sparkcentral engages in.
Where used in this Security Practices document, “Sparkcentral Services” means the Sparkcentral Services as set out in the Sparkcentral terms of service (the “Agreement”). Capitalized terms not defined in this document have the meanings given to them in the Agreement.
Sparkcentral maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorized Users make available via the Sparkcentral Services, and to prevent access to Customer Content by anyone who should not have access to it.
All of Sparkcentral’s employees are bound by Sparkcentral policies regarding the confidential treatment of Customer Content.
Human Resource Security
Sparkcentral employees receive security and privacy training during onboarding and on an ongoing basis. Employees are required to review information security policies covering the confidentiality, integrity, availability and resilience of the systems and services Sparkcentral uses in the delivery of the Sparkcentral Services.
Cyber Security Certifications & Attestations
Sparkcentral provides independent validation of the existence and maturity of its cyber security program through:
ISO/IEC 27001:2013 Certification
ISO 27001 is an international standard on how to manage information security. ISO 27001 covers the legal, physical, technical, organisational and logical aspects of information security practices. It is concerned with the storage of data, its treatment, and the processes and policies in place to keep it protected. As part of this certification, Sparkcentral is audited annually to provide independent assurance into the adequacy of our ISO security controls.
Sparkcentral takes a risk-based approach to handling information security designed to ensure the relevance of our security controls and practices to our business and customers.
SOC2 (Service Organization Control) Report: Sparkcentral undergoes a SOC 2 audit annually which is performed by an independent third party auditor. A copy of Sparkcentral’s most recent report is available upon request for existing Enterprise customers or for prospective Enterprise customers who agree to hold the report in confidence under a non-disclosure agreement.
All access into the production Sparkcentral system environment is explicitly provisioned through an authorization process. This includes access to firewalls, routers, network switches, and operating systems.
Access to the systems used by Sparkcentral employees and contract personnel is controlled by multi-factor authentication. This provides a critical layer of defense against brute force attempts at guessing passwords.
Multi-factor authentication is also available to Sparkcentral customers to authenticate to the Sparkcentral application.
Sparkcentral has implemented single sign-on (SSO) for critical systems to ensure greater and more centralized access control to the systems used by Sparkcentral employees and contract personnel.
Application audit log information of user configuration activity is generated, and accessible from within the platform. In addition, Sparkcentral also logs security logs in its backend systems.
Sparkcentral enforces the security of data in transit through TLS 1.2 for all traffic on its website, and all its APIs. For encryption in transit, Sparkcentral does this while also balancing the need for compatibility for older clients.
Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks.
Sparkcentral monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Sparkcentral Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.
Backups, Availability & Disaster Recovery
Sparkcentral has a Business Continuity & Disaster Recovery Plan.
Sparkcentral’s infrastructure is hosted on the AWS (Amazon Web Services) platform and as such runs on systems that are fault tolerant. By virtue of AWS’s distribution across multiple Availability Zones (AZ), there is built-in resilience in the hosted platform to protect against failures in a single physical location.
In addition, Sparkcentral has backup and restoration procedures to allow recovery from a major disaster.
Sparkcentral has incorporated strong protections for its corporate end-point environment, through the use of best of breed EDR (End-Point Detection & Response) software.
In addition to system monitoring and logging, Sparkcentral has implemented firewalls that are configured according to industry best practices, and ports not utilized for delivery of the Sparkcentral Services are blocked by configuration with our data center provider.
Sparkcentral currently uses Amazon Web Services (AWS) for its production data centers to provide the Sparkcentral Services. AWS has been selected for its high standards of both physical and technological security, and has internationally recognised certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and others. For more information about Amazon Web Services’ certification and compliance, please visit the AWS Security website and the AWS Compliance website.
Security Policies and Procedures
Sparkcentral implements and maintains industry-standard security policies and procedures that align with global cybersecurity frameworks. These are independently verified and their maturity assessed through Sparkcentral’s annual SOC2 and ISO 27001 compliance programs.
Sparkcentral takes the security of its application very seriously, and as such incorporates security checks in its software development lifecycle. New features, functionality, and design changes go through a review process. In addition, Sparkcentral’s code is tested and manually peer-reviewed prior to being deployed to production. Sparkcentral’s security team works closely with its product and engineering teams to resolve any additional security or privacy concerns that may arise during development.
Vulnerability Management & Penetration Testing
The security of Sparkcentral’s production environment is regularly tested through vulnerability scans. In addition, Sparkcentral also conducts periodic penetration testing of its platform by an independent penetration testing organization.
Security Monitoring & Incident Response
Sparkcentral monitors its environment using a Security Incident & Event Management (SIEM) solution.
Sparkcentral maintains security incident management policies and procedures. Sparkcentral notifies impacted customers without undue delay of any unauthorized disclosure of their Customer Content by Sparkcentral or its agents of which Sparkcentral becomes aware, to the extent permitted by law.
These security practices apply to the Sparkcentral Services defined in your Agreement with Sparkcentral.