Back to Security Center

Employee Advocacy Security

Employee Advocacy by Sprout Social is an intuitive solution that empowers employees as brand advocates. With a connected platform designed for immediate adoption, Employee Advocacy lets customers amplify their brand awareness, mitigate risk, and drive business results from a platform that helps employees quickly discover and share new content. More information can be found on our website here.

The security controls and measures documented below are specific to the Employee Advocacy application. In addition, all measures listed on the Security page apply.

Access Control

Authentication

By default, users log in to the Employee Advocacy application using a designated username and password. Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.

Single Sign-on (SSO) via SAML 2.0 allows customers to provide their users with one set of login credentials to access multiple applications. Just-in-time (JIT) provisioning is also available, which creates each new user with Reader permissions. Instructions for configuring SSO can be found here.

Authorization

Employee Advocacy offers a flexible, comprehensive permissions model where Administrators can manage each user's access to the application. The primary user roles include Reader, Contributor, Manager, and Admin. Global settings that apply across the entire account are also available, such as enabling/disabling the ability for users to share content that is not curated directly by an Admin. Users can also be separated into Teams for more direct, targeted content distribution. More information on configuring authorization controls in Employee Advocacy can be found here.

Formal approval workflows can be configured to allow users with certain roles the ability to submit suggested content, but with this content held in a queue for review and approval by a Manager or Admin. Information on the Topics by Approval process can be found here.

Application Security

Integrating with Sprout

Secure REST API connections can seamlessly connect Sprout application and Employee Advocacy accounts for customers who subscribe to both products. Customers can see Employee Advocacy reports in Sprout, send content from Sprout to Employee Advocacy, and simultaneously create content in both applications.

Domain allowlisting

Account admins can configure email domain allowlisting, which enables anybody at the customer’s organization to create an Employee Advocacy account using their company address.

Restricting content distribution

When curating a story, the curator can decide which social platforms they wish to allow their users to publish the content on, ensuring that content is disseminated only to those approved social networks.

Leaderboard configuration

The Employee Advocacy application offers leaderboard functionality, where users can earn points based on actions taken on content within the application. Admins can exclude specific teams or users from the leaderboard or disable it altogether, depending on their individual company’s needs.

Cloud Hosting

Data centers

The Employee Advocacy application and associated infrastructure are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, compliant with Cloud Security Alliance STAR Level 2, ISO/IEC 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.

For optimal redundancy, Sprout Social also uses Google Cloud Platform (GCP) as a disaster recovery and backup hosting provider. For more information on GCP’s certifications and compliance programs, please visit https://cloud.google.com/trust-center.

Data locality

Understanding the importance of data residency, Sprout Social strives to provide accurate and comprehensive information regarding where customer data is processed and stored. Currently, all components of the Employee Advocacy application - including the infrastructure, application software, and customer data - are hosted across multiple Availability Zones within the United States. The specific locations can be found below:

  • Primary - AWS us-east-1 (N. Virginia)
  • Secondary - AWS us-west-2 (Oregon)
  • Disaster Recovery/Backup - GCP us-central1 (Iowa)

Infrastructure Security

Cryptography

All communications over public networks with the Employee Advocacy application and API utilize HTTPS with TLS 1.2 or higher enforced. All data, including backups, is stored encrypted at rest with AES-256 or greater.

All application keys are managed natively through a secrets management system. Keys are rotated regularly according to policy and industry standards.

Cloud security

The Employee Advocacy application is designed natively for AWS and securely leverages dozens of AWS services. Prescriptive guides and benchmarks ensure that all services are configured according to manufacturer and industry security best practices. Regular scanning confirms that these best practices remain in effect at all times.

While operating a multi-tenant cloud environment, Sprout Social ensures that each customer’s data is logically separated so that each customer can access only their own data. Various front-end and back-end verification measures operate continuously to enforce this separation.

Network security

The Employee Advocacy infrastructure is configured in a Virtual Private Cloud (VPC), with segmentation into multiple security zones. These zones provide increasing levels of control in proximity to customer data.

Servers are logically segmented based on network access control lists, security groups, and firewall rules. Each server is dedicated and designed for a single function. Unneeded ports and services are disabled.

Cloudflare, in conjunction with the AWS Web Application Firewall (WAF), protects the infrastructure against automated and manual attacks. Host-based Intrusion Detection Systems (IDS) are deployed on all production systems.

Maintenance

The infrastructure is constructed and maintained following the zero-trust architecture approach. Personnel are granted access to systems strictly based on the access required for their role, following the principle of least privilege. Individuals who perform system maintenance must connect to the infrastructure using a VPN, and multiple layers of verification and authentication are enforced.

Maintenance activities are performed without impact or downtime to customers.