Platform Security
Spond is proud to assist millions of coaches, players, volunteers, and many others in organizing the activities they love. Protecting the data of our users is a top priority for Spond, and this article will provide you with some high-level insights into the security controls we have in place.
Cloud provider and data location
Spond’s infrastructure is hosted by Amazon Web Services (AWS), one of the world’s most comprehensive and adopted cloud platforms with a proven track record for security.
Data related to our platform is located in the EU, more specifically in Dublin, Ireland and Frankfurt, Germany.
AWS is accredited with several certifications, including but not limited to SOC II, ISO 27001 and CSA STAR. Downloadable copies of ISO 27001 and CSA STAR can be found here, and information about AWS’ compliance with SOC can be found here.
Quality assurance
The platform is continuously tested, both via automated and manual testing.
Payments
Spond does not process payments nor store card details. Payment services within Spond are provided by Spond’s payment providers, including Stripe, Checkout and Nets.
Penetration testing
Penetration testing of the Spond platform is performed at least once per year by an independent security research company.
Encryption
Client-to-server sessions are encrypted using TLS 1.2 or a higher version, depending on client compatibility. Internal service communication is both authenticated and encrypted.
All data storage and databases are encrypted.
Support
Spond has support through email and chat, including an on-call engineering team for triage.
Backup and recovery
The Spond platform is making use of continuous backups, also known as Point-In-Time Recovery, which allow up-to-the-minute data restoration. In addition, full backups are performed on a daily basis with copies across regions for added availability and resilience.
Privacy & Legal
Privacy by design
Development at Spond is guided by the principle of Privacy by Design. New features’ impact on privacy is carefully assessed before being selected for development.
GDPR and Data Protection Authority
Spond is based in Norway, and thus reports to the Norwegian Data Protection Authority (Datatilsynet) and is required to implement and adhere to the GDPR.
Dedicated Data Protection Officer & Legal team
Spond has a dedicated Data Protection Officer as well as access to a dedicated legal team for privacy related matters. If you have any questions about this, please contact us.
Sub-processors
Spond uses third-party service providers for delivering parts of the service. All third-party service providers are required to enter into a Data Processing Agreement with Spond. Spond maintains a list of all sub-processors and affiliates. Spond’s list of sub-processors and affiliates can be accessed here.