Policies & Data

Data Centre Security

To uphold our commitment to security, we host our systems on cloud service providers that align with our stringent security standards. Currently, we use the Google Cloud Platform, which reflects our values and provides robust physical security measures. For further information on their physical security practices, please visit cloud.google.com/security.

Encryption

We employ encryption at-rest, at-work, and in-transit to ensure the protection of customer data. All our encryption processes adhere to the best practices provided by Google, our trusted encryption provider. This means that all data transmitted between you and our services is encrypted using transport layer security (TLS), and all data stored within Google is encrypted for maximum security.

Two-Factor Authentication and Security Keys

We require employees to use two-factor authentication (2FA) whenever possible for the services we use as a business. We provide employees with Security Keys (FIDO U2F) and prefer their use over time-based one-time passwords and text message-based two-factor authentication solutions. Whenever feasible, we enforce the use of 2FA through the security keys. This ensures that even if a password is compromised, unauthorised access is prevented as cyber attackers would also need physical possession of our hardware.

Role-Based Access

Access to SparkLayer systems is granted to employees on a need-to-know basis, limiting the scope of potential compromise and ensuring security is maintained.

Internal Security Training and Policies

SparkLayer maintains a comprehensive set of internal security policies that all employees are required to understand and adhere to. These policies cover various aspects, including the use of strong passwords, full-disk encryption of business computers, email policies, limitations on data use and storage, and more.

Security-Minded Software Development Practices

We adhere to the principle of "security by design" in our software development practices, integrating security considerations throughout the entire software development life cycle. This includes implementing secure coding standards to prevent common vulnerabilities, conducting code reviews before deployment to production, and employing automated testing to identify potential security weaknesses. Our staff undergo regular training to ensure they remain up to date with the latest practices recommended by the Open Web Application Security Project (OWASP).

Up-to-Date Software

To mitigate known vulnerabilities, SparkLayer ensures the use of up-to-date versions of operating systems, kernels, packages, and libraries. We prioritise automation as much as possible, using our CI/CD platform, GitHub, to streamline the process of keeping our software stack current and secure in our production environment.

Backups

For all systems containing customer data, we have implemented automated daily backups. Additionally, we enable point-in-time recovery wherever possible. We rely on our trusted Google cloud provider to handle backup operations, ensuring that backups are encrypted and stored in three separate data centres.

Review and Update

Regular review and testing are essential for the effectiveness of any policy. At SparkLayer, we conduct thorough policy reviews and testing twice a year. This enables us to identify areas for improvement and promptly implement necessary actions to enhance our security and policies.

SparkLayer remains committed to the highest standards of data security, continuously improving our practices to safeguard customer information.

When an incident is identified, it's brought to the wider team's attention via our internal communication platform. An experienced team member is then chosen to lead the incident, taking charge of communication and delegating tasks to make sure the incident is resolved quickly.

Incidents are classified based on their severity and potential effect on our customers and services. This classification determines the resources allocated to handle the incident and the level of communication needed.

Once an incident is identified and classified, our Incident Response Team (IRT) will start suitable response procedures:

• Investigation: The IRT will start by probing the incident to find its cause and potential impact.
• Containment and Eradication: The IRT will work to contain the incident and prevent further damage, then focus on eliminating the incident's source.
• Recovery and Restoration: The IRT will then prioritise recovering the affected systems and getting services back to normal.
• Post-Incident Review: After resolving the incident, the IRT will conduct a review to understand the root cause, evaluate the response's effectiveness, and pinpoint areas for improvement.

Throughout the incident management process, we aim to keep our customers in the loop. We understand that communication is vital during these events, and we'll provide regular updates on the incident's status and our response.

We encourage our customers to report any incidents or security concerns related to our services. This can be done by emailing our customer support team at support@sparklayer.io with "URGENT - Security" in the subject line.

We regularly review and test this Incident Management Plan to ensure it remains current and effective. Our goal is to continually enhance our incident response capabilities to serve our customers better.



In such events, our primary objective will be to ensure the continuance of our software development and customer support functions, thereby maintaining uninterrupted service for our customers. Additionally, we will strive to protect our organisational infrastructure, preserve the integrity of customer data, and ensure the financial viability of our operations.

The CEO will lead the execution of this plan in a disaster situation. A dedicated Business Continuity Team, comprising members from various departments, will support them. Their roles will include, but not be limited to, managing communication, preserving resources, and coordinating recovery efforts.

To support immediate communication in the event of a disruption, we maintain an up-to-date list of emergency contacts for our staff, key vendors, and customers. This list will be utilised to communicate crucial information about the situation and our response.

Upon the onset of a disaster, our first response will prioritise the safety of our employees. Ensuring our team is safe and secure is paramount to our recovery efforts. Following this, we will initiate our disaster recovery strategies, focusing primarily on restoring our SaaS services, which form the backbone of our service delivery.

We have identified key operational areas and their requisite resources to guide our recovery strategy. This includes hardware and software systems, physical locations, and critical personnel. Our strategy includes offsite data backup and recovery systems, alternative communication methods, remote working capabilities, and redundancy plans for critical roles.

Throughout this process, we will maintain a clear and constant line of communication with our customers to keep them informed about our recovery progress and expected service resumption times. Regular updates will be provided via email and, when necessary, directly via phone.

This Business Continuity Plan undergoes regular review and testing to ensure its effectiveness and adaptability to evolving business needs and potential risks. Any lessons learned from the reviews, tests, or actual events will be used to enhance our strategies and procedures continuously, thereby reinforcing our preparedness to deal with future disruptions.