Security

At Spoke, we’re committed to delivering forward-thinking technology while honoring the responsibility to safeguard the data customers share with us. We have taken a multi-tiered security approach in the design of our application and maintain that standard through secure development practices combined with a number of third-party assessments. Our focus remains on releasing product features that empower workplaces without sacrificing security.

We know that entrusting us with your internal corporate data is an important decision. Therefore we have taken numerous steps to create a strong security program to provide you the reassurance you need. We ensure that each customer’s data is kept safe and separate from other customer’s data, and also limit the same principles of access with our own staff’s capabilities. Spoke doesn’t view your data unless you’re aware and we will never create any sort of meta-reporting that can be resold later. Our business is laser-focused on delivering the value we promise, and nothing else.

Compliance

People, process and technology are all considerations in how we approach information security and data privacy. To validate the effectiveness of our internal security controls, we engaged an independent auditor to assess our compliance with a framework which is specifically designed for software-as-a-service (SaaS) providers.


Spoke currently holds a report on compliance for the SOC 2 SSAE 18 standard which outlines our philosophy and approach for information security management, risk assessment, board oversight, and third-party risks, among other principles.

All customer payments accepted by Spoke via credit card are processed in compliance with the current Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is designed to ensure any merchant accepting credit card payments are required to implement appropriate protective measures to prevent cardholder data from theft or fraudulent use. At a high level, to comply with the standard, we continue to:


At Spoke, we have selected the secure payment technology company Stripe for our credit card processing needs. Using Stripe, no cardholder data is ever stored or processed on Spoke’s servers. For PCI Compliance, all Spoke payment data and transaction processing is delegated to Stripe. Stripe is certified to the highest industry standards, including PCI DSS Level 1 certification and various rigorous standards across the globe.


We complement our own compliance achievements by hosting our services in Google Cloud Platform which is a state of the art data center, utilizing innovative architectural and modern engineering approaches. Google’s data centers have been validated for compliance against a number of  strict standards, regulations and assorted frameworks. To learn more about Google’s Trust and Compliance, you can learn more here: https://cloud.google.com/security/compliance/#/.


For inquiries regarding our information security practices at Spoke, or to provide feedback or suggestions to our team, please email us at compliance@askspoke.com. To report an identified security vulnerability in our application, please email us at security@askspoke.com

GDPR

The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law which took effect on May 25, 2018. 

Under GDPR, Spoke is a data processor therefore, we provide support to data controllers in order to enable them to fulfill their obligations under GDPR, and will refer any direct inquiry from consumers and end-users to the respective data controller for handling.

At Spoke we have taken various steps to give customers assurance that the use of Spoke’s products and services are consistent with the GDPR:

Subprocessors: Spoke uses third-party services for business & operational efficiency. These subprocessors have limited access to requisite customer data in order to provide specific functionality within our service. We establish data protection agreements that require third-party services to adhere to confidentiality and privacy commitments that we have made to our customers. Spoke uses the following subprocessors:

NameFunction
Google, Inc.Cloud Service Provider
MongoDB, Inc.Cloud-based Hosted Database
Mailgun Technologies, Inc.Cloud-based Email Service Provider
Intercom, Inc.Cloud-based Customer Support Services
Stripe, Inc.Cloud-based Payment Processor
Fullstory, Inc.Cloud-based User Behaviour Analytics Services
Salesforce, Inc.Cloud-based Customer Relationship Management
Twilio, Inc.Cloud-based SMS Services
Mixpanel, Inc.Cloud-based Analytics Services
Cloudinary, Inc.Cloud-based File Storage Services
Elasticsearch, Inc.
Cloud-based Logging Services
Stitch, Inc.Cloud-based Analytics Pipeline Services
Mode Analytics, Inc.Cloud-based Analytics Services
DataDogCloud-based Logging Services

We will update this page periodically to reflect current information regarding subprocessing associated with the Spoke service. Prior to any changes to subprocessor relationships, we will provide notification to customers of any proposed updates in accordance with our contractual or legal obligations.

If you would like to request a copy of our Data Protection Agreement or if you have any other privacy-related questions, please email us at privacy@askspoke.com.

Application & Product Security

Resilient and Secure Architecture

Secure Build

Personnel Practices

Effective | August 1, 2019

View customers

See Spoke in action

Answer these two quick questions to get a customized introduction to Spoke.

StockX's IT, HR, and Ops teams auto-close 35% of all tickets with Spoke

 

Are you an existing Spoke user?