To earn and maintain the trust of the world’s most progressive and people-focused companies, Sapling takes all reasonable precautions to protect the confidentiality, integrity and availability of all systems and data entrusted to us by our customers and their employees.
Our customers entrust sensitive data to our care and we’ll never stop improving the security, availability, and robustness of our platform.
Sapling undergoes regular penetration testing and security reviews, designed to be GDPR compliant, and encrypts data at rest and in transit.
If you'd like to request our Security White-Paper or SOC2 report, please reach out to firstname.lastname@example.org with your use case, title and contact information.
Our production systems are hosted on Amazon’s AWS cloud platform and all software, systems and networks are configured with security as a key requirement.
We use the industry-standard, AWS to host our application and data. Our EC2 servers and databases are located in AWS US regions across multiple availability zones (data centers).
We rely on a shared security model to ensure industry standard (ISO 27001 and SOC-2) controls are implemented for data and service security. Amazon provides physical security to our technology systems and we have several architectural controls in place to ensure the same
Sapling has achieved SOC2 Type 2 compliance - a critical security milestone in providing assurance to our customers about Sapling and Organization controls.
Sapling is committed to meeting the requirements of GDPR, and achieved GDPR compliance in May 2018. As a solution partner, Sapling is a data processor as we support our customers with the processing the data of their employees (classified as data subjects).
All applications and supporting services are hosted on modern, Linux based operating systems and built upon modern application development frameworks.
All production systems are hosted on Amazon’s AWS cloud platform, in US regions.
All software, systems and networks are configured with security as a requirement.
All new application features are developed in a separate environment and rigorously tested before release applying best practices in web application security.
The Sapling platform supports multiple levels of access for administrative functions and are configurable by customer designated Administrators.
All passwords are hashed with the bcrypt algorithm and salted with a unique salt for each hash.
Local account passwords are required to meet minimum length and complexity requirements.
Sapling application, database and software components are all maintained on AWS infrastructure.
Amazon gates their SOC 2 Report and PCI DSS reports, however SOC 3 is a publicly available summary of SOC 2 available here without NDA
The document outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.
Sensitive information (i.e. Social Security Numbers) are encrypted in our database using the Advanced Encryption Standard (AES).
Sapling follows secure development practices and provides ongoing training for employees in secure development methodologies.
All role-based access to privileged application functionality is granted on an explicit whitelist basis.
A strict peer-review process is followed for all code changes, including additional security review for changes to sensitive functionality.
Automated security code analysis tools are used to provide ongoing identification of security issues.
Sapling production environments are fully segregated from corporate, development and test environments.
All of Sapling’s production web application traffic is inspected by an intrusion detection and prevention system. Any anomalies are logged and suspected attacks create automatic alerts to personnel for investigation, response and resolution.
Host and network based access control lists are used to limit traffic to only necessary systems and services.
Access to the Sapling platform is made available only via SSL/TLS supporting secure cipher suites.
Sapling’s production servers are subjected to regular vulnerability scans and penetration tests from our internal security team.
Patches are applied on a regular basis depending on the assessed level of risk.
Critical vulnerabilities are remediated within 24 hours.
Sapling logs all system and application activity to a centralized logging service where it is monitored
Sapling assesses the risk of all new third party services and systems before adoption, and implements contractual, organizational and technical controls commensurate with the assessed risk.
At minimum, all third party services and systems are verified for consistency with this security overview document.
Access to customer data is tightly controlled with access only granted to users with a business requirement, for example, to provide implementation or support services.
Backups are performed 3 times a day.
Upon written request from an authorized customer account representative, customer data will be removed permanently from Sapling production systems and also removed during any backup restoration event.
Data security is a top priority for Sapling, and Sapling believes that working with skilled security researchers can identify weaknesses in any technology.
If you believe you’ve found a security vulnerability in Sapling’s service, please notify us by emailing at email@example.com; we will work with you to resolve the issue promptly.