Security and privacy at Sparkwise

At the core of our operations is a commitment to security and privacy. Sparkwise is proud to be SOC 2 Type II compliant.

Learn more about our infrastructure security, organizational security, product security, internal security procedures, and data & privacy.

Security and privacy  at sparkwise

Industry-Standard Security and Compliance

Sparkwise is SOC 2 Type II compliant

Our SOC 2 Type II report is available by request.

What is it?

A SOC 2 Type II report describes a service organization's systems, whether the design of specified controls meets the relevant trust services categories, and assesses the effectiveness of those controls over a specified period of time.

SOC 2 has a rigorous requirement on how companies handle customer data and information, so compliance guarantees there are established and implemented organizational practices in place to safeguard customer data.

The relationship with our clients is built on trust. The successful completion of our SOC 2 report is one of many ways that we earn and retain that trust.

Ari Bader-Natal

Co-founder & CTO, Sparkwise

Infrastructure security

Service infrastructure maintained

Sparkwise has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Network and system hardening standards maintained

Sparkwise's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

Network firewalls utilized

Sparkwise uses firewalls and configures them to prevent unauthorized access.

Network firewalls reviewed

Sparkwise reviews its firewall rulesets at least annually. Required changes are tracked to completion.

Infrastructure performance monitored

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

Network segmentation implemented

Sparkwise's network is segmented to prevent unauthorized access to customer data.

Log management utilized

Sparkwise utilizes a log management tool to identify events that may have a potential impact on Sparkwise's ability to achieve its security objectives.

Intrusion detection system utilized

Sparkwise uses an intrusion detection system to provide continuous monitoring of Sparkwise's network and early detection of potential security breaches.

Production network access restricted

Sparkwise restricts privileged access to the production network to authorized users with a business need.

Remote access encrypted enforced

Sparkwise's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Remote access MFA enforced

Sparkwise's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Unique network system authentication enforced

Sparkwise requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Production OS access restricted

Sparkwise restricts privileged access to the operating system to authorized users with a business need.

Access revoked upon termination

Sparkwise completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

Firewall access restricted

Sparkwise restricts privileged access to the firewall to authorized users with a business need.

Unique account authentication enforced

Sparkwise requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production application access restricted

System access restricted to authorized access only

Production database access restricted

Sparkwise restricts privileged access to databases to authorized users with a business need.

Access control procedures established

Sparkwise's access control policy documents the requirements for the following access control functions:

  • adding new users;
  • modifying users; and/or
  • removing an existing user's access.

Encryption key access restricted

Sparkwise restricts privileged access to encryption keys to authorized users with a business need.

Unique production database authentication enforced

Sparkwise requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Organizational security

Password policy enforced

Sparkwise requires passwords for in-scope system components to be configured according to Sparkwise's policy.

Security awareness training implemented

Sparkwise requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Confidentiality Agreement acknowledged by contractors

Sparkwise requires contractors to sign a confidentiality agreement at the time of engagement.

Performance evaluations conducted

Sparkwise managers are required to complete performance evaluations for direct reports at least annually.

MDM system utilized

Sparkwise has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

Confidentiality Agreement acknowledged by employees

Sparkwise requires employees to sign a confidentiality agreement during onboarding.

Code of Conduct acknowledged by employees and enforced

Sparkwise requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Code of Conduct acknowledged by contractors

Sparkwise requires contractor agreements to include a code of conduct or reference to Sparkwise code of conduct.

Employee background checks performed

Sparkwise performs background checks on new employees.

Anti-malware technology utilized

Sparkwise deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

Asset disposal procedures utilized

Sparkwise has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Production inventory maintained

Sparkwise maintains a formal inventory of production system assets.

Product security

Vulnerability and system monitoring procedures established

Sparkwise's formal policies outline the requirements for the following functions related to IT / Engineering:

  • vulnerability management;
  • system monitoring.

Data transmission encrypted

Sparkwise uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Penetration testing performed

Sparkwise's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Control self-assessments conducted

Sparkwise performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If Sparkwise has committed to an SLA for a finding, the corrective action is completed within that SLA.

Data encryption utilized

Sparkwise's datastores housing sensitive customer data are encrypted at rest.

Internal security procedures

Vendor management program established

Sparkwise has a vendor management program in place. Components of this program include:

  • critical third-party vendor inventory;
  • vendor's security and privacy requirements; and
  • review of critical third-party vendors at least annually

Vulnerabilities scanned and remediated

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

Third-party agreements established

Sparkwise has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Risk management program established

Sparkwise has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Risks assessments performed

Sparkwise's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

Risk assessment objectives specified

Sparkwise specifies its objectives to enable the identification and assessment of risk related to the objectives.

Service description communicated

Sparkwise provides a description of its products and services to internal and external users.

Company commitments externally communicated

Sparkwise's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

External support resources available

Sparkwise provides guidelines and technical support resources relating to system operations to customers.

Incident management procedures followed

Sparkwise's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to Sparkwise's security incident response policy and procedures.

Incident response plan tested

Sparkwise tests their incident response plan at least annually.

Incident response policies established

Sparkwise has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Access requests required

Sparkwise ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

System changes communicated

Sparkwise communicates system changes to authorized internal users.

Access reviews conducted

Sparkwise conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

Organization structure documented

Sparkwise maintains an organizational chart that describes the organizational structure and reporting lines.

Support system available

Sparkwise has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Security policies established and reviewed

Sparkwise's information security policies and procedures are documented and reviewed at least annually.

Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Backup processes established

Sparkwise's data backup policy documents requirements for backup and recovery of customer data.

Management roles and responsibilities defined

Sparkwise management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

System changes externally communicated

Sparkwise notifies customers of critical system changes that may affect their processing.

Board charter documented

Sparkwise's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

Board expertise developed

Sparkwise's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

Board oversight briefings conducted

Sparkwise's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of Sparkwise's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Whistleblower policy established

Sparkwise has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

SOC 2 - System Description

Sparkwise has completed a description of Sparkwise system for Section III of the audit report

Development lifecycle established

Sparkwise has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Production deployment access restricted

Sparkwise restricts access to migrate changes to production to authorized personnel.

Change management procedures enforced

Sparkwise requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

Configuration management system established

Sparkwise has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Cybersecurity insurance maintained

Sparkwise maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Continuity and Disaster Recovery plans established

Sparkwise has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Continuity and disaster recovery plans tested

Sparkwise has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Data and privacy

Data classification policy established

Sparkwise has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Customer data deleted upon leaving

Sparkwise purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Data retention procedures established

Sparkwise has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.