Sprout Social’s Privacy Program
How we safeguard your personal data
Sprout Social employs a variety of technical and organizational measures to safeguard your personal data.
We maintain policies related to data classification, ensuring that the protections in place are appropriate based on the type of data. All communications over public networks with Sprout Social’s application and API utilize HTTPS with TLS 1.2 or higher enforced. All customer data is logically separated and encrypted at rest with AES-256.
In processing personal data, we clearly identify our purposes of processing personal data and limit our processing solely to these purposes. Further, we ensure that the personal data we process is adequate, relevant, and limited only to what is necessary. Sprout Social has established standard data retention periods for customer data and is stringent in ensuring that deletion requests are respected.
Our employees are required to follow our policies, including our Employee Handbook, Code of Ethics and Conduct, and Acceptable Use Policy, which establish non-disclosure and confidentiality requirements. We follow the principle of least privilege, so that employees have only the access to systems and data that they require to perform their duties.
For more information on our Security Measures, please click here.
Sprout Social’s subprocessors are contractually required to adhere to an established set of security and privacy measures that align with industry standards.
For a list of subprocessors that are used to deliver the platform to our customers, please review https://sproutsocial.com/subprocessors/.
DPO and Privacy Committee
Sprout Social has appointed Fieldfisher LLP as its Data Protection Officer. You can reach our DPO at firstname.lastname@example.org. Sprout Social has a Privacy Committee comprised of key stakeholders from its Legal, Security, and Compliance teams.
Sprout Social requires its employees and contractors to attend regular privacy training to reinforce best practices and policies as it relates to protecting the privacy of our customer data.
Data Subject Requests
Sprout Social will assist customers in fulfilling their legal obligation to respond to data subject access or deletion requests.
Data Protection Impact Assessments
Sprout Social will assist customers in fulfilling their legal obligation to perform data protection impact assessments.
Vendor Diligence and Review
Sprout Social reviews the security and privacy posture of our critical third party product and service providers on a regular basis. Additional information on our third-party due diligence can be found in our SOC 2 Type 2 report, which is available upon request.
Sprout Social's Privacy Law Compliance
Sprout Social is a “service provider” under the CCPA and the CPRA. Sprout Social complies with the CCPA and CPRA do not sell or share provisions.
GDPR (both EU and UK)
Sprout Social is a “processor” of customer personal data under the GDPR. The transfer mechanism for EU-US data transfers is the latest version of the Standard Contractual Clauses (SCCs). The transfer mechanism for UK-US data transfers is the SCCs subject to the UK Addendum.
All Swiss-US data transfers are subject to the latest SCCs with Switzerland’s Federal Data Protection and Information Commissioner as the relevant Supervisory Authority.