Hosting & security

Sprout Social aims to help businesses of all sizes become better marketers, create stronger relationships with their customers, be more informed decision makers, and create the world’s most beloved brands.

In business since 2010, Sprout Social has more than 25,000 paying customers who trust us to help them manage many millions of daily conversations. Our technology is designed and stewarded with our customers and their audiences, hundreds of millions strong, in mind. We work daily to build lasting relationships through a culture of customer success and support.

Reliability & availability

Sprout Social strives to minimize service impacts and downtime. We design our systems for fault tolerance, and our teams for rapid incident recovery. It is in our ethos to avoid downtime at all costs, unplanned or planned. We never impose maintenance downtime if it is avoidable—because it usually is. Elements of business continuity and disaster recovery are woven into our practices and our systems. They are not an afterthought, or a task relegated to a single team.

A proven track-record

99.99% uptime is a KPI for our Engineering group. At the time of writing, we had higher than 99.99% uptime over the prior 6 and 12 months.

Transparency to customers

Trust begins with open communication. We publicly share real-time system status and metrics on our Status Websites, https://status.sproutsocial.com for Sprout Social and https://status.getbambu.com for Bambu. There we communicate incidents and planned maintenance, including any customer impact, and we display system health metrics sourced from independent third-party providers. Customers may subscribe to receive immediate SMS or email notifications of future incidents.

Social media feeds

Our data ingest layer combines multiple connections to social network APIs. As certified partners, social networks like Facebook, Twitter, Instagram and Linkedin provide us with higher levels of redundancy and access to their support teams.

Backups

Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.

Transparency to our teams

Internally we practice multi-disciplinary, blameless post-mortem analysis, and seek to grow our people, procedures, and systems in the aftermath of failure. Fear is the enemy of progress.

Isolation

Our highly distributed backend platform employs isolation design patterns to mitigate risks across components. Failures of one component rarely affect other components.

Recovery point objectives (RPOs)

Recovery strategies are designed to provide up-to-date RPOs at low Recovery Time Objectives (RTOs), with older data recovered against longer RTOs. This is consistent with customer expectations in Social Media, allowing customers to meet the immediate needs of their customers.

DevOps best practices

Our engineering team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. Any 24/7/365 on-call team member is empowered to rebuild systems and topologies with full consistency. In the event of system loss, our Engineering team quickly recreates systems by executing the infrastructure code.

Monitoring & on-call support

We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team, and our engineering team. Specialized engineers are on call 24/7/365.

When problems occur our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.

Data centers

Sprout Social’s products are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.

Data location

Customer data is hosted in the United States, in AWS’s us-east-1 and us-west-2 regions. Sprout Social is Privacy Shield certified to transfer personal data from the European Union and Switzerland, and is GDPR compliant.

Facilities

AWS's data centers are outfitted with world-class physical hosting capabilities. Buildings have temperature and humidity monitoring and management, automatic water detection and removal, and automatic fire detection and suppression. Combinations of multiple power feeds, Uninterruptible Power Supply (UPS) systems, and on-site electrical generators provide layers of backup power. Telecommunications and Internet connections are redundant. There are no product dependencies on Sprout Social corporate offices or other facilities we manage.

IT security

Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per
NIST 800-88.

Physical security

Data Center buildings have strict physical access review and scrutiny. All physical access is monitored 24/7 by personnel. Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.

Infrastructure & network security

Sprout Social employs a dedicated security team. All systems are monitored and alerted 24/7/365 for security and operational events. Host-based Intrusion Detection is deployed on all production systems.

Network controls

Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.

Incident management & response

Sprout Social's incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.

Scanning

Systems and applications are scanned regularly for common vulnerabilities.

Encryption at rest & in transit

All communications over public networks with Sprout Social applications and APIs is conducted over TLS/HTTPS. All data is stored encrypted at rest, including for backups.

System administration

Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.

Application security

Sprout Social's developers are given annual training on secure coding. All application code is written by Sprout Employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.

Third-party penetration testing

Sprout Social contracts with multiple penetration testing vendors to conduct several tests per year. Reports are available upon request by customers under NDA.

DDoS mitigation

Distributed Denial of Service mitigation is provided via our hosting platform.

Responsible disclosure policy

Security researchers may report vulnerabilities through Bug Crowd. (link: https://bugcrowd.com/sproutsocial). Learn more about our policy at https://sproutsocial.com/responsible-disclosure-policy.

Employees & internal IT

In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely run, and measured against industry benchmarks.

Information security policies & standards

Sprout Social has a comprehensive set of policies and standards
covering all aspects of security and privacy. All Employees musts affirm their responsibilities in protecting customer data as part of their condition of employment.

Secure support protocols

Our world-class Support team follows phishing and threat-resistant protocols designed by our Security team, when conducting sensitive actions on customer accounts.

Offices

Sprout Social offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.

Devices

All Sprout Social devices are inventoried with asset tags and managed with a central MDM solution.

Endpoints

Employee workstations are secured with hard drive encryption, Antivirus, data loss prevention software, and advanced malware detection with central management and control.

Background checks

All new hires with access to customer data undergo a criminal history and background check prior to employment.

Business continuity

Like the hosting of our products, while Sprout Social maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and make use of these tools daily.

Product security features

Two-step verification (2FA)

Account owners and administrators may require that their users leverage this additional security layer. Sprout Social supports apps like Google Authenticator and others that implement the Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) for generating passcodes.

Secure credential storage

Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.

Brute-force protections

In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.

Approval workflows

Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.

IP restrictions

Sprout Social may be configured to restrict application and API access from specific IP ranges.

Email signing

Sprout Social implements Sender Policy Framework (SPF) and
DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Sprout Social, helping to prevent spoofing and ensure authenticity.

Access permissions

Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users on their account.

Global publishing pause

In times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by Sprout Social. This is accessible from our web and mobile applications.

Compliance & certifications

SOC 2 Type II

Sprout Social has received independent certification of SOC 2 Type I compliance and is pursuing a Type II audit in 2019.

aicpa soc compliance badge

EU-US & Swiss-US privacy shield

Sprout Social holds a Privacy Shield certification under these frameworks established by the U.S. Department of Commerce regarding the transfer of personal data from the EEA and/or Switzerland to the U.S.

GDPR

Sprout Social is GDPR compliant as both a data controller and data processor of personal data under the General Data Protection Regulation.

PCI compliance

Sprout Social is PCI SAQ-A compliant. Payment transactions are outsourced to third-party payment processors compliant to PCI-DSS
Level 1.

Official social media partnerships

Sprout Social is recognized as an official partner of Twitter, Facebook, Instagram, LinkedIn, Google+, and Pinterest.