Security Center
In business since 2010, Sprout Social has more than 30,000 paying customers who trust us to help them manage many millions of daily conversations. Our technology is designed and stewarded with our customers and their audiences, hundreds of millions strong, in mind. We work daily to build lasting relationships through a culture of customer success and support.
Product Security Measures
While the Global Security Measures documented on this page apply across the entire Sprout Social organization, each of our applications includes product-specific security features. Information related to access control, application security, cloud hosting, and infrastructure security in our products can be found in their respective sections below.
Global Security Measures
Operational Resilience
Reliability & availability
Sprout Social strives to minimize service impacts and downtime. We design our systems for fault tolerance, and our teams are trained for rapid incident recovery. It is in our ethos to avoid downtime at all costs, unplanned or planned. We never impose maintenance downtime if it is avoidable—because it usually is. Elements of business continuity and disaster recovery are woven into our practices and systems. They are not an afterthought or a task relegated to a single team.
Our Engineering team strives to maintain 99.9% uptime for each of our products as a key performance indicator (KPI). We publicly share real-time system status and metrics on our status websites, where customers may subscribe to receive notifications of future incidents:
Social integrations
Our data ingest layer combines multiple connections to social network APIs. Through our formal partnership agreements, social networks like Facebook, Instagram, LinkedIn, Pinterest, Threads, TikTok, X, and YouTube provide us with higher levels of redundancy and direct access to their support teams.
All connections between Sprout Social products and the social networks occur over secure networks. When customers connect their social profiles to Sprout Social, they enter credentials directly on the social network; Sprout Social never views, processes, or stores any of our customers’ social network account credentials.
Backups
Backups are taken frequently, encrypted in transit and at rest, and tested regularly. They are intentionally stored "off-site," geographically separate from each application's primary hosting location, to ensure high levels of durability and availability.
Additional information on data centers and hosting locations can be found in the product-specific security pages above.
DevOps & monitoring
Our engineering team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. All 24/7/365 on-call team members are empowered to rebuild systems and topologies consistently. In the event of system loss, our Engineering team quickly recreates systems by executing the infrastructure code.
We monitor continuously worldwide, displaying, alerting, and reporting on our entire technical environment in real time. Our customer-facing support team collaborates with our engineering team to support customers. Specialized engineers are on call 24/7/365.
When problems occur, our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.
Personnel Security
Awareness & training
Sprout Social has implemented a strong information security management system through a comprehensive set of policies and standards covering all aspects of security and privacy. As part of their condition of employment, all employees must affirm their responsibilities in protecting customer data.
In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely administered and measured against industry benchmarks.
Security organization
Sprout Social maintains a highly qualified, expansive team dedicated to information security, led by the VP of IT, Security, and Compliance, with oversight from the Chief Technology Officer (CTO) and the Sprout Social Board of Directors.
Based on qualifications and career interests, security personnel may be assigned to functional areas such as employee security, application security, infrastructure security, SOC monitoring, compliance, and more.
Hardware & devices
Sprout Social maintains an inventory of all hardware equipment and devices, which is regularly audited both automatically and manually. Each device is centrally managed through a mobile device management (MDM) solution, which enforces centralized configurations and allows for continuous system monitoring.
Each employee workstation is secured with full-disk encryption, next-generation antivirus and antimalware software, and data loss prevention software. Hardware controls, such as blocking external media and USB ports, are also configured.
Screening
Candidates for employment complete several rounds of interviews with cross-functional stakeholders to verify qualifications. Before beginning employment at Sprout Social, all personnel undergo identity verification and a background check, subject to local laws and regulations.
Vulnerability and Risk Management
Detection & operations
Sprout Social’s in-house security team monitors systems and logs 24/7/365 for potential events and anomalies. Additionally, specialized personnel are available on call should they be required.
Systems and applications are scanned regularly for common vulnerabilities, and findings are remediated according to risk. Qualified third-party testing vendors conduct penetration tests at the application and network layers several times yearly.
Incident management & response
Sprout Social's incident response planning and procedures are based on NIST standards, incorporating the phases of preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. These are further reinforced by the information security incident management requirements in the ISO 27001 standard.
When potential incidents are identified through our monitoring systems, threat detection tools, or stakeholder reports, an initial assessment and classification occur before quickly moving into response and containment actions. Stakeholders are updated regularly throughout the investigation, and comprehensive records and evidence are collected and preserved. After the incident has been addressed, the root cause is identified, and in the spirit of continuous improvement, changes are implemented to prevent similar incidents in the future.
Supply chain management
Sprout Social uses automated and manual methods to regularly review and monitor all critical product and service providers in our supply chain. Our subprocessors are contractually required to adhere to an established set of security measures that align with industry best practices.
Given the importance of monitoring for third-party risk, we pay close attention to libraries and other third-party dependencies used within our environment to ensure they remain patched and fully up-to-date.
Change control
All engineering teams at Sprout Social follow Agile software development methodologies, which incorporate formal Software Development Life Cycle (SDLC) phases, including Planning, Development, Code Review, Testing, Deployment, and Continuous Monitoring.
All code and configuration changes undergo multiple review and test steps before deployment. Our production environments enforce approved code through configuration management tools, and any direct modifications made to those systems will be over-written by the approved configuration to ensure consistency. Every Sprout Social developer must complete annual training on secure coding topics.
Physical and Environmental Protection
Physical office security
All Sprout Social offices have multiple-layer doors secured by electronic access control systems. Physical access is limited to Sprout Social personnel and authorized, escorted visitors. Offices are equipped with surveillance cameras monitoring ingress and egress.
Digital office security
All offices have secured data rooms containing networking equipment, including firewalls, switches, and access points, which we own and manage. Office networks are segmented and centrally monitored. Because our services are hosted through third-party data centers, there are no product dependencies on Sprout Social's corporate offices or other facilities we manage.
Life safety
Each Sprout Social office maintains internal floor plans, including the locations of exits, fire extinguishers, defibrillators, and other health and wellness resources. Emergency alarm systems are installed and tested regularly. Emergency disaster procedures are updated, and test exercises are performed at least annually.
Business continuity
While Sprout Social maintains multiple physical offices, our business's continued operation is not dependent on these offices. During the COVID-19 (Coronavirus) pandemic, Sprout Social transitioned to an all-remote workforce without delay or interruption. Many employees have since returned to the office, but the organization remains hybrid, with personnel working remotely worldwide. Therefore, our products, services, and overall business operations can continue around the clock regardless of any office interruptions.