Security at ThriveSparrow

Introduction

Overseeing our customer data goes beyond being a mere obligation; it constitutes a genuine passion within our company. We firmly believe that earning our customers' trust is an ongoing endeavor. To achieve that, we go beyond the routine adherence to norms and checkboxes; we infuse a sense of awareness and optimal approaches into our corporate ethos. This ensures that security and data privacy remain paramount when  shaping our application, overseeing our networks, and conducting our daily business.

ThriveSparrow maintains a dedicated security team that includes not only security specialists, but every member of our company because we know security is only as strong as your weakest link.

Vulnerability Disclosure

If you would like to report a vulnerability, please contact security@thrivesparrow.com with a proof of concept, a list of tools used, and the output of the tools. Once received, ThriveSparrow will work quickly to reproduce each vulnerability and verify its status before taking the steps needed to address it.

Compliance and Certification

The Data Processor agrees to process the Data only in accordance with relevant data protection laws and in particular on the following conditions:

ISO 27001

ThriveSparrow has undergone ISO 27001 Audits. At ThriveSparrow, our commitment to security is reflected in our ISO 27001 compliance. This certification underscores our stringent information security management practices and continuous improvement to safeguard customer data.

Read more

GDPR

ThriveSparrow aligns with the GDPR standards. If your clientele includes European Union residents who utilize ThriveSparrow, we suggest establishing a Data Processing Agreement (DPA) with ThriveSparrow to ensure compliance with data protection requirements.

Read more

SOC2 Type II

Put forth by the American Institute of Certified Public Accountants (AICPA), SOC 2 Type II is a comprehensive reporting framework that defines and outlines criteria to manage customer data based on five trust service principles — security, availability, processing integrity, confidentiality, and privacy.

Read more

CYBER ESSENTIALS

Cyber Essentials certification demonstrates our commitment to robust cybersecurity practices by meeting a UK government-backed standard for protecting systems and data against common online threats. ThriveSparrow’s systems have been independently audited by an IASME-approved assessor.

Read more

Infrastructure and Network Security

Servers

ThriveSparrow relies on Amazon Web Services (AWS) to host our infrastructure. AWS data centers are fortified with multiple layers of physical access safeguards, including alarms, crash-rated outer perimeter fencing, electronic access cards, video surveillance, and internal trip lights. While we can't provide the exact physical address due to Amazon's security policies, you can find more details about AWS Security features in their whitepaper.

To maintain software security, we employ a mix of automated and manual assessments to identify potential vulnerabilities in our systems. Our dedicated Infrastructure team stays current by reviewing security bulletins and prioritizing fixes based on our internal vulnerability policy.

Logical Access Control

ThriveSparrow has complete control over its infrastructure on AWS. This means that ThriveSparrow has full ownership and responsibility for its infrastructure, including the servers, storage, and networking resources that it uses. ThriveSparrow is not reliant on a third-party provider to manage its infrastructure.

Only authorized members of the ThriveSparrow Infrastructure Team can access and configure infrastructure. This ensures that only people who have been specifically authorized to do so can make changes to ThriveSparrow’s infrastructure. This helps to protect ThriveSparrow’s infrastructure from unauthorized access and tampering.

All access to infrastructure requires two-factor authentication (2FA). 2FA adds an extra layer of security to access infrastructure by requiring users to enter a code from their phone in addition to their password. This helps to prevent unauthorized access to infrastructure even if a user's password is compromised.

The levels of authorization for infrastructure components are based on the principle of least privilege. This means that users are only granted the permissions they need to perform their job functions. This helps to protect ThriveSparrow's infrastructure from unauthorized access and misuse.

Penetration Testing

ThriveSparrow engages in annual grey box penetration testing carried out by an independent third-party agency. Additionally, ThriveSparow performs quarterly internal vulnerability assessment and penetration testing (VAPT). The corresponding reports are accessible upon request.

Third-Party Audit

Amazon Web Services undergoes third-party independent audits and can provide verification of compliance controls for its infrastructure. This includes but is not limited to, ISO 270001, SOC 2, and PCI.

Business Continuity and Disaster Recovery

Business Continuity

Each aspect of the ThriveSparrow service operates on suitably provisioned and duplicated servers, including multiple load balancers, web servers, and replica databases, to ensure continued functionality in the event of any failures. Our deployments are seamless with zero downtime, facilitated by Kubernetes. We enforce a controlled rollout and rollback strategy for services to swiftly address any deployment errors.

Application Security

Data Encryption

All data residing on ThriveSparrow servers is automatically encrypted at rest using AWS AES-256 and all the data in transit using Strict TLS 1.2

Secure Application Development

ThriveSparrow adheres to a continuous delivery approach, ensuring that code changes undergo a swift cycle of committing, testing, shipping, and iterating. This methodology is reinforced by pull request assessments, continuous integration (CI), and automated security scans, which include the utilization of SonarQube for static code analysis and Dynamic Application Security Scanners. These measures substantially minimize the potential for security concerns and enhance the promptness of addressing vulnerabilities. Internally, every code alteration requires approval from an authorized reviewer, and deploying to our production environment is contingent upon comprehensive code reviews.

Security Policies

ThriveSparrow maintains internal copies of security documentation, which are updated on an ongoing basis and reviewed annually for gaps:

Information Security Policy
Data processing Agreement
Risk Assessment Procedure
Incident Response Plan
Business Continuity Procedure
Secure Development Policy
Cloud Security Policy
Threat Intelligence Policy

Background Checks

ThriveSparrow conducts mandatory background and reference checks for all employees prior to joining our team.

Security Training

Upon onboarding and annually thereafter, ThriveSparrow ensures the completion of a mandatory security awareness training program for both new and existing team members. This training encompasses the OWASP Top 10 vulnerabilities in the programming languages relevant to our developers.

Disclosure Policy

In case of a data breach, ThriveSparrow adheres to GDPR guidelines, requiring customer notification within 48 hours of the breach, wherever possible.

ThriveSparrow offers a real-time operational status report on our dedicated page, allowing individuals to receive email notifications by subscribing to updates.

‍