Skip to main content
Close menu
Back to Security Center

Sprout Social Security

The Sprout Social application is a social media management platform for businesses, offering brands and agencies the ability to manage social media publishing, engagement, analytics, advocacy, and customer service across multiple networks and profiles. More information, including a product tour, can be found on our website here.

The security controls and measures documented below are specific to the Sprout application. In addition, all measures listed on the Security page apply.

Access Control

Authentication

By default, users log in to the Sprout application using a designated username and password, with two-step verification via email enforced. Customers can configure various password settings for their account, including strength, history, and rate limit configurations. Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.

Single Sign-on (SSO) via SAML 2.0 allows customers to provide their users with one set of login credentials to access multiple applications. Just-in-time (JIT) provisioning and setting default Roles for new users are also available. Instructions for configuring SSO can be found here.

Additionally, customers may replace email-based two-step verification with multi-factor authentication using a Time-based One-time Password Algorithm (TOTP) or an HMAC-based One-time Password Algorithm (HOTP) to generate passcodes through apps like Google Authenticator. Instructions for configuring two-step verification via TOTP or HOTP can be found here.

Authorization

Sprout offers a flexible, comprehensive permissions model where Account Owners and Administrators may restrict access to profiles, features, actions (including reading and writing), and other data by applying granular controls to users on their account. Groups can be configured to organize the social profiles within a Sprout account. Customers can then grant team members access to individual Groups based on how their business operates. Information on creating groups can be found here.

In addition to Groups, customers can set specific Permissions for each user. Company Permissions comprise any administrative permissions for a user, while Feature Permissions focus on access to particular tabs/features in Sprout. Information on configuring user permissions can be found here.

Account Owners and Administrators may restrict certain activities behind approval workflows. These workflows allow tasks to be divided amongst a team, with the peace of mind that central decision-makers may review and control public-facing actions.

Application Security

IP restrictions

Sprout Social may be configured to restrict application and API access from specific IP ranges.

Global publishing pause

In times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by Sprout Social. This is accessible from our web and mobile applications.

Security best practices

Sprout Social wants to help you protect yourself from online security threats. We have published resources, including the Security Best Practices and Protecting Sensitive Information articles, to guide customers in fulfilling their shared security responsibilities.

Email signing

Sprout Social implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Sprout Social, helping to prevent spoofing and ensure authenticity.

Audit trail logs

The Sprout application includes customer-facing audit trail logs that provide information on user activity within an account. Over fifty events and actions are logged in the audit trail, documenting the activity and the user who performed it. Information on the audit trail logs can be found here.

Brute-force protections

In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.

Cloud Hosting

Data centers

The Sprout Social application and associated infrastructure are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, compliant with Cloud Security Alliance STAR Level 2, ISO/IEC 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.

For optimal redundancy, Sprout Social also uses Google Cloud Platform (GCP) as a disaster recovery and backup hosting provider. For more information on GCP’s certifications and compliance programs, please visit https://cloud.google.com/trust-center.

Data locality

Understanding the importance of data residency, Sprout Social strives to provide accurate and comprehensive information regarding where customer data is processed and stored. Currently, all components of the Sprout Social application - including the infrastructure, application software, and customer data - are hosted across multiple Availability Zones within the United States.

The specific locations can be found below:

  • Primary - AWS us-east-1 (N. Virginia)
  • Secondary - AWS us-west-2 (Oregon)
  • Disaster Recovery/Backup - GCP us-central1 (Iowa)

Infrastructure Security

Cryptography

All communications over public networks with the Sprout application and API utilize HTTPS with TLS 1.2 or higher enforced. All data, including backups, is stored encrypted at rest with AES-256 or greater.

All application keys are managed natively through a secrets management system. Keys are rotated regularly according to policy and industry standards.

Cloud security

The Sprout application is designed natively for AWS and securely leverages dozens of AWS services. Prescriptive guides and benchmarks ensure that all services are configured according to manufacturer and industry security best practices. Regular scanning confirms that these best practices remain in effect at all times.

While operating a multi-tenant cloud environment, Sprout Social ensures that each customer’s data is logically separated so that each customer can access only their own data. Various front-end and back-end verification measures operate continuously to enforce this separation.

Network security

The Sprout infrastructure is configured in a Virtual Private Cloud (VPC), with segmentation into multiple security zones. These zones provide increasing levels of control in proximity to customer data.

Servers are logically segmented based on network access control lists, security groups, and firewall rules. Each server is dedicated and designed for a single function. Unneeded ports and services are disabled.

Cloudflare, in conjunction with the AWS Web Application Firewall (WAF), protects the infrastructure against automated and manual attacks. Host-based Intrusion Detection Systems (IDS) are deployed on all production systems.

Maintenance

The infrastructure is constructed and maintained following the zero-trust architecture approach. Personnel are granted access to systems strictly based on the access required for their role, following the principle of least privilege. Individuals who perform system maintenance must connect to the infrastructure using a VPN, and multiple layers of verification and authentication are enforced.

Maintenance activities are performed without impact or downtime to customers.