Hosting & security
Sprout Social aims to help businesses of all sizes become better marketers, create stronger relationships with their customers, be more informed decision makers, and create the world’s most beloved brands.
In business since 2010, Sprout Social has more than 25,000 paying customers who trust us to help them manage many millions of daily conversations. Our technology is designed and stewarded with our customers and their audiences, hundreds of millions strong, in mind. We work daily to build lasting relationships through a culture of customer success and support.
Reliability & availability
Sprout Social strives to minimize service impacts and downtime. We design our systems for fault tolerance, and our teams for rapid incident recovery. It is in our ethos to avoid downtime at all costs, unplanned or planned. We never impose maintenance downtime if it is avoidable—because it usually is. Elements of business continuity and disaster recovery are woven into our practices and our systems. They are not an afterthought, or a task relegated to a single team.
A proven track-record
99.99% uptime is a KPI for our Engineering group. At the time of writing, we had higher than 99.99% uptime over the prior 6 and 12 months.
Transparency to customers
Trust begins with open communication. We publicly share real-time system status and metrics on our Status Websites, https://status.sproutsocial.com for Sprout Social and https://status.getbambu.com for Bambu. There we communicate incidents and planned maintenance, including any customer impact, and we display system health metrics sourced from independent third-party providers. Customers may subscribe to receive immediate SMS or email notifications of future incidents.
Social media feeds
Our data ingest layer combines multiple connections to social network APIs. As certified partners, social networks like Facebook, Twitter, Instagram and Linkedin provide us with higher levels of redundancy and access to their support teams.
Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.
Transparency to our teams
Internally we practice multi-disciplinary, blameless post-mortem analysis, and seek to grow our people, procedures, and systems in the aftermath of failure. Fear is the enemy of progress.
Our highly distributed backend platform employs isolation design patterns to mitigate risks across components. Failures of one component rarely affect other components.
Recovery point objectives (RPOs)
Recovery strategies are designed to provide up-to-date RPOs at low Recovery Time Objectives (RTOs), with older data recovered against longer RTOs. This is consistent with customer expectations in Social Media, allowing customers to meet the immediate needs of their customers.
DevOps best practices
Our engineering team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. Any 24/7/365 on-call team member is empowered to rebuild systems and topologies with full consistency. In the event of system loss, our Engineering team quickly recreates systems by executing the infrastructure code.
Monitoring & on-call support
We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team, and our engineering team. Specialized engineers are on call 24/7/365.
When problems occur our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.
Sprout Social’s products are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.
Customer data is hosted in the United States, in AWS’s us-east-1 and us-west-2 regions. Sprout Social is Privacy Shield certified to transfer personal data from the European Union and Switzerland, and is GDPR compliant.
AWS's data centers are outfitted with world-class physical hosting capabilities. Buildings have temperature and humidity monitoring and management, automatic water detection and removal, and automatic fire detection and suppression. Combinations of multiple power feeds, Uninterruptible Power Supply (UPS) systems, and on-site electrical generators provide layers of backup power. Telecommunications and Internet connections are redundant. There are no product dependencies on Sprout Social corporate offices or other facilities we manage.
Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per
Data Center buildings have strict physical access review and scrutiny. All physical access is monitored 24/7 by personnel. Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.
Infrastructure & network security
Sprout Social employs a dedicated security team. All systems are monitored and alerted 24/7/365 for security and operational events. Host-based Intrusion Detection is deployed on all production systems.
Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.
Incident management & response
Sprout Social's incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.
Systems and applications are scanned regularly for common vulnerabilities.
Encryption at rest & in transit
All communications over public networks with Sprout Social applications and APIs is conducted over TLS/HTTPS. All data is stored encrypted at rest, including for backups.
Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.
Sprout Social's developers are given annual training on secure coding. All application code is written by Sprout Employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.
Third-party penetration testing
Sprout Social contracts with multiple penetration testing vendors to conduct several tests per year. Reports are available upon request by customers under NDA.
Distributed Denial of Service mitigation is provided via our hosting platform.
Responsible disclosure policy
Security researchers may report vulnerabilities through Bug Crowd. (link: https://bugcrowd.com/sproutsocial). Learn more about our policy at https://sproutsocial.com/responsible-disclosure-policy.
Employees & internal IT
In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely run, and measured against industry benchmarks.
Information security policies & standards
Sprout Social has a comprehensive set of policies and standards
covering all aspects of security and privacy. All Employees musts affirm their responsibilities in protecting customer data as part of their condition of employment.
Secure support protocols
Our world-class Support team follows phishing and threat-resistant protocols designed by our Security team, when conducting sensitive actions on customer accounts.
Sprout Social offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.
All Sprout Social devices are inventoried with asset tags and managed with a central MDM solution.
Employee workstations are secured with hard drive encryption, Antivirus and advanced malware detection with central management and control.
All new hires with access to customer data undergo a criminal history and background check prior to employment.
Like the hosting of our products, while Sprout Social maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and make use of these tools daily.
Product security features
Two-step verification (2FA)
Account owners and administrators may require that their users leverage this additional security layer. Sprout Social supports apps like Google Authenticator and others that implement the Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) for generating passcodes.
Secure credential storage
Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.
In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.
Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.
Sprout Social may be configured to restrict application and API access from specific IP ranges.
Sprout Social implements Sender Policy Framework (SPF) and
DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Sprout Social, helping to prevent spoofing and ensure authenticity.
Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users on their account.
Global publishing pause
In times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by Sprout Social. This is accessible from our web and mobile applications.