Security Overview

Version 2.0: March 5, 2020

To earn and maintain the trust of the world’s most progressive and people-focused companies, Sapling takes all reasonable precautions to protect the confidentiality, integrity and availability of all systems and data entrusted to us by our customers and their employees.

This overview highlights the best practices for information security and technology management that Sapling follows in order to deliver on this commitment.

Sapling seeks to do everything in its power to keep its data and systems safe. We regularly review our security policies and procedures to adhere to the highest industry standards. If you would like to know more or speak to our security team, please contact techteam@trysapling.com with specific questions.

You may report any unethical behavior or feedback on Sapling practices in a confidential manner by emailing at hotline@trysapling.com.


  • Sapling is a web-based platform for managing new-employee onboarding.
  • All applications and supporting services are hosted on modern, Linux based operating systems and built upon modern application development frameworks.
  • All production systems are hosted on Amazon’s AWS cloud platform, in US regions.
  • All software, systems and networks are configured with security as a requirement.


  • All new application features are developed in a separate environment and rigorously tested before release applying best practices in web application security.
  • Access to the Sapling platform is authenticated using customer specified passwords.
  • The Sapling platform supports multiple levels of access for administrative functions and are configurable by customer designated Administrators.
  • All passwords are hashed with the bcrypt algorithm and salted with a unique salt for each hash.
  • Local account passwords are required to meet minimum length and complexity requirements.


  • Sapling application, database and software components are all maintained on AWS infrastructure.
  • AWS Service Organization Control (SOC) Reports are independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives.
  • Amazon gates their SOC 2 Report and PCI DSS reports, however SOC 3 is a publicly available summary of SOC 2 (available here without NDA)
  • The document outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.
  • Sensitive information (i.e. Social Security Numbers) are encrypted in our database using the Advanced Encryption Standard (AES).
  • Sapling has also achieved both SOC 2 Type 1 and SOC 2 Type 2 compliance.


  • Sapling follows secure development practices and provides ongoing training for employees in secure development methodologies.
  • All role-based access to privileged application functionality is granted on an explicit whitelist basis.
  • A strict peer-review process is followed for all code changes, including additional security review for changes to sensitive functionality.
  • Automated security code analysis tools are used to provide ongoing identification of security issues.


  • Sapling production environments are fully segregated from corporate, development and test environments.
  • All of Sapling’s production web application traffic is inspected by an intrusion detection and prevention system. Any anomalies are logged and suspected attacks create automatic alerts to personnel for investigation, response and resolution.
  • Host and network based access control lists are used to limit traffic to only necessary systems and services.
  • Access to the Sapling platform is made available only via SSL/TLS supporting secure cipher suites.
  • Sapling’s production servers are subjected to regular vulnerability scans and penetration tests from our internal security team.
  • Patches are applied on a regular basis depending on the assessed level of risk.
  • Critical vulnerabilities are remediated within 24 hours.


  • Sapling logs all system and application activity to a centralized logging service where it is monitored
  • Sapling assesses the risk of all new third party services and systems before adoption, and implements contractual, organizational and technical controls commensurate with the assessed risk.
  • At minimum, all third party services and systems are verified for consistency with this security overview document.
  • Access logs are retained for at least 90 days.


  • Access to customer data is tightly controlled with access only granted to users with a business requirement, for example, to provide implementation or support services.
  • Backups are performed 3 times a day.
  • Upon written request from an authorized customer account representative, customer data will be removed permanently from Sapling production systems and also removed during any backup restoration event.