Spot Security

Spot takes advantage of the scalable infrastructure of AWS (Amazon Web Services), allowing us to achieve high uptime and reliability and to ensure that your data is secure.

Our servers are located in Europe (Ireland, London, Paris). The infrastructure provided by AWS is ISO 27001, SOC 1, and SOC 2 certified.

Physical access to the data center is strictly controlled both at the perimeter and at building ingress points by professional security staff, using video surveillance, state of the art intrusion detection systems, biometric locks, and other electronic means.

For more compliance information on the AWS infrastructure on which Spot runs, you can visit AWS Security and AWS Compliance.

To ensure that our platform is built and operates securely, we engage with a third-party security firm to run penetration tests on a regular basis. The results of those tests are carefully analyzed, and any required fixes or improvements are prioritized on our roadmap.

In addition to regular penetration testing, we also have monthly automated vulnerability scanning run on our infrastructure. Further, our code repository is scanned on each code change for any vulnerable dependencies. With these measures in place, we discover and act on any misconfigurations or vulnerable dependencies extremely quickly.

Our Software Development Life Cycle Policy describes in detail the steps we take to ensure that changes in the Spot service follow strict guidelines regarding security analysis, implementation, and testing.

We're happy to share our latest reports as well as our policies on these topics. Please contact us at [email protected].

To minimize the chances of your information being hacked or stolen, we only store data when absolutely necessary. Conversations with Spot remain private until the reporter decides to submit the report they create.

Our Data Retention Policy and Access Control Policy (both available on request) clearly outline what happens with our customers' data and the measures we take to ensure that data is stored securely.

Spot has hourly automated backups, which are retained for 7 days. All backups are stored on encrypted storage, with access limited to key people on the Spot team.

Log data is stored for 90 days, but it doesn’t contain any personal data.

Backups are located where our servers are hosted: AWS’s EU-West 1 location (Ireland, London, Paris).

We never store passwords in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose. Authentication sessions are invalidated when users change key information and sessions automatically expire after a period of inactivity.

We require all administrators with access to the Spot dashboard to use two-factor authentication (TOTP) to ensure that external parties cannot gain access to your company's sensitive data. We also provide optional single sign-on (SSO).

We monitor and rate limit authentication attempts on all accounts.

All Spot web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively. Additionally, we use only strong cipher suites.

Our primary databases, including backups are fully encrypted at rest. In addition, all archives and logs are fully encrypted at rest. We use industry standard encryption algorithms.

Spot has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with employees.

Spot has a defined protocol for responding to security events.

All employees complete security training when they join and are continually refreshed.

Spot performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

All employees have signed confidentiality agreement with Spot.

All credit card payments paid to Spot go through our payment processing partner, Stripe. Details about their security posture and PCI compliance can be found at Stripe’s Security page.

If you have any concerns or discover a security issue, please contact us directly. Our Security team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We request that you do not publicly disclose any issue you discovered until after we have addressed it.