Statement on Security in SPOTIO

Table of Contents

Table of Contents

Want to Improve Your Team's Sales Performance?

We create SPOTIO, to support customers with their CRM needs to store and process data in a secure way.  Ensuring our platform remains secure is vital to protecting any processed data is secure.

Our security strategy covers all aspects of our business, including:

  • SPOTIO security policies
  • Physical and environmental security
  • Operational security processes
  • Scalability & reliability of our system architecture
  • Data access and
  • Systems development and maintenance
  • Service development and maintenance
  • Regularly working with third-party security experts
  • Regular security scans

SPOTIO Security Policies

Every SPOTIO employee signs a Data Access Policy that binds them to the terms of our data confidentiality policies, available at spotio.com/terms and spotio.com/privacy. Access rights are based on the employee’s job function and role. All system access is role-based and is controlled according to the best practices.

External security audits

SPOTIO is organizing regular security scans, which cover all aspects of the secure system. This means that an independent third party is controlling our system security as well as our processes: development, deployment, system access.

Security in our Software Development Lifecycle

SPOTIO uses the git revision control system and Azure DevOps to automate all code related processes. All changes are tested against unit tests in code, E2E automated tests on tests and prerelease environments. All code changes are also in process of code review, so each change requires senior developer approval.

SPOTIO has a staging environment and a prerelease environment. All changes are first tested on a staging environment, then on prerelease, which often customers are able to check changes earlier. We also add a specific security review for particularly sensitive changes and features: triple checks and A/B tests for releases.

SPOTIO engineers also have the ability to “cherry-pick” critical updates and push them immediately to production servers.

Our build pipeline uses security checks of all libraries and docker images we are using to find any types of vulnerabilities.

Our build pipeline also processes static code analysis using sonarqube.

We also execute network scanning tools against our production servers.

Our E2D tests are checking not only functionalities but also access control to the system over API per role permission and per data access permissions. Each test is executed every new build of the application.

Security at the SPOTIO office

SPOTIO

Our office is secured via keycard access which is logged, and visitors are recorded at our front desk.

 

SPOTIO Architecture & Scalability

Scalability/Reliability of Architecture

SPOTIO uses the Azure platform. Our configuration is fully redundant in multiple Azure regions. All data is replicated real-time to secondary data centers synchronously. If one region would stop working we will automatically switch traffic to another region. All our data is a matter of 1-minute snapshots backups for 35 days and can be easily restored.

SPOTIO uses Desired State Configuration on Kubernetes cluster approach, which means in case of region failure we are able to recreate our infrastructure in other regions pretty quickly.

Disaster recovery plan assumes to restore all PAAS services and recreate Kubernetes cluster. We tested it and it all took 2 hours.

All data stored in SPOTIO are encrypted.

We currently host data in US Azure Data Centers (west us and east us) and on EU Azure data centers (west Europe)

For more references please see here:

https://docs.microsoft.com/en-us/azure/security/fundamentals/

Encrypted Transactions

SPOTIO uses Cloudflare as an edge layer. We use top secure options on Cloudflare:

 

– Always Use HTTPS – all our traffic is encrypted

– SSL/TLS encryption mode – FULL – encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server

– Minimum TLS Version – TLS 1.2, meaning we prohibit connection lower that TLS 1.2

– Web Application Firewall – with blocking mechanism

– DDOS protection

 

SPOTIO is configured in the way that all traffic from the Internet is blocked directly can come only over Cloudflare infrastructure.

 

SPOTIO Information Security

Employee Workstations, Laptops, & Mobile Devices

All laptops and workstations are secured via full disk encryption. All stations are using software to protect against viruses and malware. All stations are set up to install the latest software upgrades.

Security Consulting and Application Review

We work with external security advisors to ensure infrastructure is safe and secure.

Data Center Security

Azure

Azure employs a robust physical security program with multiple certifications.

For more information on Azure security please visit

https://azure.microsoft.com/en-us/overview/trusted-cloud/

https://azure.microsoft.com/en-us/overview/trusted-cloud/compliance/

 

https://azure.microsoft.com/en-us/overview/trusted-cloud/privacy/

 

https://docs.microsoft.com/en-us/azure/security/

 

https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security

 

https://azure.microsoft.com/en-us/blog/3-reasons-why-azure-s-infrastructure-is-secure/

 

Product Features

Administrator Management Features

  • Authentication to infrastructure – SPOTIO infrastructure administrators can force employees to authenticate to Azure Active Directory with 2-factor authentication. We use 2FA in Azure Active Directory for all employees, we can revoke access immediately or enforce password change.
  • Authentication to customer accounts – customer support users can assist users who need help logging into customer accounts using one time SMS passwords. All logins are registered and an audit log is available for review.
  • User Management – Administrators can see users’ list, company details, and events about usage. Additionally can impersonate user accounts in the way described above. All operations are registered to the audit log

User Features

  • Roles, User permissions, Territory permissions – Customers determine who can access data based on roles (admin, manager, sales rep), specific permissions, and territory access (based on hierarchy). Access to Your account is based on email/SMS invitations. Each account can be suspended immediately with immediate effect on the end device (mobile, web browser) .

Privacy

Privacy Policy

SPOTIO’s privacy policy, which describes how we handle data input into SPOTIO, can be found at spotio.com/privacy.

Availability

We are committed to making SPOTIO consistently available to you and your team members. Our systems have built-in redundancy, auto-healing, active monitoring and constant health checks, both basic and extended (smoke tests). All to ensure the system works on high availability with SLA on 99.9%.

You can always check our live health status here: https://status.spotio2.com