Security at Sapling

Sapling utilizes enterprise-grade best practices to protect our customers.

Our Security Commitment

To earn and maintain the trust of the world’s most progressive and people-focused companies, Sapling takes all reasonable precautions to protect the confidentiality, integrity and availability of all systems and data entrusted to us by our customers and their employees.

Our customers entrust sensitive data to our care and we’ll never stop improving the security, availability, and robustness of our platform.

Sapling undergoes regular penetration testing and security reviews, designed to be GDPR compliant, and encrypts data at rest and in transit.

If you'd like to request our Security White-Paper or SOC2 report, please reach out to security@trysapling.com with your use case, title and contact information.

Secure and Reliable Infrastructure

Our production systems are hosted on Amazon’s AWS cloud platform and all software, systems and networks are configured with security as a key requirement.

We use the industry-standard, AWS to host our application and data. Our EC2 servers and databases are located in AWS US regions across multiple availability zones (data centers).  

We rely on a shared security model to ensure industry standard (ISO 27001 and SOC-2) controls are implemented for data and service security. Amazon provides physical security to our technology systems and we have several architectural controls in place to ensure the same

Enterprise Grade Compliance

SOC 2 Type II

Sapling has achieved SOC2 Type 2 compliance - a critical security milestone in providing assurance to our customers about Sapling and Organization controls.

European Union


Sapling is committed to meeting the requirements of GDPR, and achieved GDPR compliance in May 2018. As a solution partner, Sapling is a data processor as we support our customers with the processing the data of their employees (classified as data subjects).

Our Security Practices and Commitments

Technology Overview

  • All applications and supporting services are hosted on modern, Linux based operating systems and built upon modern application development frameworks.

  • All production systems are hosted on Amazon’s AWS cloud platform, in US regions.

  • All software, systems and networks are configured with security as a requirement.

Application Design & Security

  • All new application features are developed in a separate environment and rigorously tested before release applying best practices in web application security.

  • The Sapling platform supports multiple levels of access for administrative functions and are configurable by customer designated Administrators.

  • All passwords are hashed with the bcrypt algorithm and salted with a unique salt for each hash.

  • Local account passwords are required to meet minimum length and complexity requirements.

Database Security

  • Sapling application, database and software components are all maintained on AWS infrastructure.

  • Amazon gates their SOC 2 Report and PCI DSS reports, however SOC 3 is a publicly available summary of SOC 2 available here without NDA

  • The document outlines that AWS meets the AICPA’s Trust Security Principles in SOC 2 and includes the external auditor’s opinion of the operation of controls.

  • Sensitive information (i.e. Social Security Numbers) are encrypted in our database using the Advanced Encryption Standard (AES).

Software Development Practices

  • Sapling follows secure development practices and provides ongoing training for employees in secure development methodologies.

  • All role-based access to privileged application functionality is granted on an explicit whitelist basis.

  • A strict peer-review process is followed for all code changes, including additional security review for changes to sensitive functionality.

  • Automated security code analysis tools are used to provide ongoing identification of security issues.

Network Security

  • Sapling production environments are fully segregated from corporate, development and test environments.

  • All of Sapling’s production web application traffic is inspected by an intrusion detection and prevention system. Any anomalies are logged and suspected attacks create automatic alerts to personnel for investigation, response and resolution.

  • Host and network based access control lists are used to limit traffic to only necessary systems and services.

  • Access to the Sapling platform is made available only via SSL/TLS supporting secure cipher suites.

  • Sapling’s production servers are subjected to regular vulnerability scans and penetration tests from our internal security team.

  • Patches are applied on a regular basis depending on the assessed level of risk.

  • Critical vulnerabilities are remediated within 24 hours.

Third-Party Management, Logging and Monitoring

  • Sapling logs all system and application activity to a centralized logging service where it is monitored

  • Sapling assesses the risk of all new third party services and systems before adoption, and implements contractual, organizational and technical controls commensurate with the assessed risk.

  • At minimum, all third party services and systems are verified for consistency with this security overview document.

Customer Data Protection

  • Access to customer data is tightly controlled with access only granted to users with a business requirement, for example, to provide implementation or support services.

  • Backups are performed 3 times a day.

  • Upon written request from an authorized customer account representative, customer data will be removed permanently from Sapling production systems and also removed during any backup restoration event.

Sapling Responsible Disclosure Policy

Data security is a top priority for Sapling, and Sapling believes that working with skilled security researchers can identify weaknesses in any technology.

If you believe you’ve found a security vulnerability in Sapling’s service, please notify us by emailing at hotline@trysapling.com; we will work with you to resolve the issue promptly. 


Security questions or issues?

Please contact our security hotline below (and thank you for helping keep Sapling and our uses safe).

Contact our security team