Security

At atSpoke, we’re committed to delivering forward-thinking technology while honoring the responsibility to safeguard the data customers share with us. We have taken a multi-tiered security approach in the design of our application and maintain that standard through secure development practices combined with a number of third-party assessments. Our focus remains on releasing product features that empower workplaces without sacrificing security.

We know that entrusting us with your internal corporate data is an important decision. Therefore we have taken numerous steps to create a strong security program to provide you the reassurance you need. We ensure that each customer’s data is kept safe and separate from other customer’s data, and also limit the same principles of access with our own staff’s capabilities. atSpoke doesn’t view your data unless you’re aware and we will never create any sort of meta-reporting that can be resold later. Our business is laser-focused on delivering the value we promise, and nothing else.

Compliance

People, process and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we engaged an independent auditor to assess our compliance with a framework which is specifically designed for software-as-a-service (SaaS) providers.

atSpoke currently holds a report on compliance for the SOC 2 Type 2 standard which outlines our philosophy and approach for information security management, risk assessment, board oversight, and third-party risks, among other principles.

All customer payments accepted by atSpoke via credit card are processed in compliance with the current Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is designed to ensure any merchant accepting credit card payments are required to implement appropriate protective measures to prevent cardholder data from theft or fraudulent use. At a high level, to comply with the standard, we continue to:

  • Maintain a secure IT network;
  • Protect cardholder data through various organizational and technical controls;
  • Maintain on-going vulnerability management program;
  • Enforce strong access control measures;
  • Regularly monitor and assess networks for threats; and,
  • Maintain an information security program.

At atSpoke, we have selected the secure payment technology company Stripe for our credit card processing needs. Using Stripe, no cardholder data is ever stored or processed on atSpoke’s servers. For PCI Compliance, all atSpoke payment data and transaction processing is delegated to Stripe. Stripe is certified to the highest industry standards, including PCI DSS Level 1 certification and various rigorous standards across the globe.

We complement our own compliance achievements by hosting our services in Google Cloud Platform which is a state of the art data center, utilizing innovative architectural and modern engineering approaches. Google’s data centers have been validated for compliance against a number of  strict standards, regulations and assorted frameworks. To learn more about Google’s Trust and Compliance, you can learn more here: https://cloud.google.com/security/compliance/#/.

For inquiries regarding our information security practices at atSpoke, or to provide feedback or suggestions to our team, please email us at compliance@askspoke.com. To report an identified security vulnerability in our application, please email us at security@askspoke.com.

CCPA

atSpoke is a service provider, as defined by the California Consumer Privacy Act of 2018 (“CCPA”) which is a California state law that went into effect on January 1, 2020. CCPA gives California consumers new privacy rights and creates new obligations for businesses that are covered by the law. 

The rights for California consumers include:

  • The right to know what personal information a business is collecting and how that information is being used and shared;
  • The right to a copy of the personal information a business holds about a consumer;
  • The right to delete personal information a business holds about a consumer;
  • The right to stop the sale of personal information by a business; and
  • The right to have equal service and price, even if a consumer exercises their privacy rights.

It is important to note that atSpoke will never engage in the sale of personal information. Our business has processes in place in order to respond to consumer requests related to the CCPA. 

In an effort to comply with this new law, we implemented the following measures:

  • Reviewed our privacy program strategy with legal to ensure our continued compliance with the CCPA
  • We now offer a CCPA-specific Data Processing Addendum to eligible customers to clarify that our relationship is that of a “service provider” under the CCPA
  • Set up additional channels for consumers to request to exercise their rights under CCPA
    • Email us at privacy@atspoke.com
    • Call us at 1-866-I-OPT-OUT (1-866-467-8688) Enter Service Code: 989
  • Updated our Privacy Notice to expand on information for individuals covered under the CCPA
  • Expanded our definition of personal information, as defined by the CCPA, to include “anything that identifies or could be reasonably linked (directly or indirectly) with a particular individual or household” and credit card information

GDPR

The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law which took effect on May 25, 2018. 

Under GDPR, atSpoke is a data processor therefore, we provide support to data controllers in order to enable them to fulfill their obligations under GDPR, and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.

At atSpoke we have taken various steps to give customers assurance that the use of atSpoke’s products and services are consistent with the GDPR:

  • Data Protection Agreements are established with relevant customers and third parties to ensure appropriate processing and safeguards are in place for EU personal data.
  • We have standardized processes and technical capabilities in order to help our customers respond to data subject requests for access, rectification or erasure of personal data maintained by atSpoke.
  • A privacy feature exists within the atSpoke application to control the visibility of user requests.
  • We apply a risk-based approach in the selection and monitoring of all third-party vendor relationships.

Subprocessors: atSpoke uses third-party services for business & operational efficiency. These subprocessors have limited access to requisite customer data in order to provide specific functionality within our service. We establish data protection agreements that require third-party services to adhere to confidentiality and privacy commitments that we have made to our customers. atSpoke uses the following subprocessors:

NameFunction
Google, Inc.Cloud Service Provider
MongoDB, Inc.Cloud-based Hosted Database
Mailgun Technologies, Inc.Cloud-based Email Service Provider
Intercom, Inc.Cloud-based Customer Support Services
Stripe, Inc.Cloud-based Payment Processor
Salesforce, Inc.Cloud-based Customer Relationship Management
Twilio, Inc.Cloud-based SMS Services
Mixpanel, Inc.Cloud-based Analytics Services
Cloudinary, Inc.Cloud-based File Storage Services
Stitch, Inc.Cloud-based Analytics Pipeline Services
Mode Analytics, Inc.Cloud-based Analytics Services
DataDog, Inc.Cloud-based Logging Services
Pendo.io, Inc.Cloud-based In-app Onboarding Solution

We will update this page periodically to reflect current information regarding subprocessing associated with the atSpoke service. Prior to any changes to subprocessor relationships, we will provide notification to customers of any proposed updates in accordance with our contractual or legal obligations.

If you would like to request a copy of our Data Protection Agreement or if you have any other privacy-related questions, please email us at privacy@askspoke.com.

Application & Product Security

  • Authentication
    • We highly suggest the usage of SAML 2.0 for authorization and SCIM for user lifecycle management. We support the use of Google OAuth, or SAML 2.0 Single-Sign-On with end-user’s preferred identity provider for authentication and SCIM for provisioning and de-provisioning. atSpoke has native support for Okta, OneLogin and GSuite and we also support traditional username/password sign-in. 
    • User passwords are protected by the latest recommendations for strong encryption and hashing (i.e. AES-256 and bcrypt).
    • User password requirements are consistent with NIST recommendations and balance usability with sound security.
    • atSpoke APIs only communicate over encrypted channels and are only accessible to verified users. Authentication is done via revocable API tokens issued to the user.
  • Access Controls
    • End-user privileges are provisioned by account Administrators using Role-based access controls.
    • Users can control the visibility of any request made in atSpoke through a privacy feature.
  • Email & Malware Protection
    • We protect all outgoing emails with DKIM (Domain Keys Identified Mail), SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent email spoofing.
    • Emails are exchanged securely using TLS 1.2 protocol.
    • All files uploaded to atSpoke are screened for malware using OPSWAT MetaDefender anti-malware protection service.

Resilient and Secure Architecture

  • Redundant and Scalable Infrastructure
    • atSpoke data and services are deployed across geographically distributed availability zones maintained by an industry-leading service provider (Google Cloud).
    • Load balancers are used to distribute application load across resources and support high availability through auto-scaling.
    • Properly isolated network resources combined with network address translation to restrict inbound traffic from untrusted zones.
    • We have maintained an uptime of more than  99.9%. You can check our stats at https://status.askspoke.com.
    • Capacity thresholds are defined to automatically provision additional resources to meet demand.
  • Encryption
    • We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocol, and SHA2 signatures for data traveling between clients and atSpoke service; and between atSpoke services over public networks.
    • AES-256 bit encryption is utilized to protect application and customer data at rest.
    • We observe a strict key management policy that includes an aggressive key rotation procedure and minimum entropy requirements with access restricted to delegated key custodians.
  • Threat Monitoring
    • Technology and tooling are in place to detect and alert on suspected network intrusion, command and control attempts or potential system compromise.
    • We have a documented security incident response process which includes appropriate escalation procedures, root cause analysis, impact assessment, and containment.
    • External communications can be made in a timely manner to impacted customers, third parties and authorities.
  • Recovery Capabilities
    • Data is replicated across multiple availability zones to support continuity in the event of a regional outage.
    • Snapshots of data are taken at regular intervals throughout a 24-hour period with complete backups performed at daily, weekly and monthly intervals with proactive retention periods observed.
    • Backup restoration procedures are documented and tested regularly to confirm the efficacy of our processes.
    • Our disaster recovery strategy is documented, with appointed responsible personnel and supported through regular review with our security team.

Secure Build

  • Design & Build Practices:
    • We follow OWASP secure coding practices at atSpoke.
    • Code is evaluated for design, functionality, and expected security exposures.
    • Changes to the source code are governed by standardized change management processes.
    • In addition to automated and manual testing, our code is peer reviewed prior to being deployed to production.
    • We engage third-party security experts to perform comprehensive penetration tests across our application and network infrastructure.

Personnel Practices

  • Recruitment & Selection Practices:
    • We perform comprehensive background screenings on all new employees.
    • Employees are required to sign non-disclosure and confidentiality agreements.
  • Access Controls:
    • Only authorized employees are granted access to production systems for fulfilling their job responsibilities.
    • Access is regularly reviewed for business justification.