Customer data safety and security is our top priority. This is something we take very seriously. At Spoke we have built and implemented industry-grade security features for our application, systems, and networks to ensure customer data is protected. And we continue to make Spoke more secure, any input or feedback on our security is greatly appreciated. Please email us at email@example.com
We follow secure development practices to build and ship our product features. We are continuously investing in infrastructure and product features to provide better security and access controls to our customers.
Application & Product security
- We support username/password sign-in, Google SSO or SAML for user and agent authentication.
- User passwords are protected by the latest recommendations for strong encryption and hashing (i.e. AES-256 and bcrypt).
- Spoke APIs are SSL-only and accessible to only verified users. Authentication is done via revocable API tokens issued to the user.
- Data access controls:
- Access rights to data in Spoke are controlled and can be configured by admin and agents.
- Users can control visibility of any requests they make in Spoke.
- Email & Malware protection:
- We protect all our outgoing emails with DKIM (Domain Keys Identified Mail), SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting & Conformance) to prevent email spoofing.
- All files uploaded to Spoke are screened for malware using Opswats’ Metascan service.
- Spoke data and services are hosted in data centers maintained by industry-leading service providers (Google Cloud).
- Spoke Data is backed up every 8 hours. We have well-tested restoration procedures which we audit at least every quarter.
- We have a strict key management policy that includes an aggressive key rotation procedure and minimum entropy requirements. We store keys so that only the engineers responsible for maintaining our production infrastructure have access to them.
- We have maintained an uptime of more than 99.9%. You can check our stats at https://status.askspoke.com.
- Spoke transmits data using strong encryption, including data between clients and Spoke service; and between spoke services over public networks.
- We support the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, and SHA2 signatures.
- Application and customer data is encrypted at rest. Customer’s data is segregated logically by their unique ID.
- Incident Management:
- In the event of a data breach, Spoke will promptly notify impacted customers.
- Spoke has documented data breach procedures including communication, escalation, mitigation and post mortems.
- Product Security Practices:
- We follow OWASP secure coding practices at Spoke.
- All new feature work go through functionality, and design review.
- In addition to automated and manual testing, our code is peer reviewed prior to being deployed to production.
- We engage third party security experts to perform comprehensive penetration test across our application and network infrastructure.
- For PCI compliance, all Spoke payment data and transactions are delegated to Stripe.
- Personnel Practices:
- Only authorized employees get access to production data for fulfilling their job responsibilities.
- Spoke performs background checks on all new employees.
- All employee contracts include a confidentiality agreement.
The EU General Data Protection Regulation (GDPR) is a new comprehensive EU data privacy law. It took effect on on May 25, 2018. At Spoke we have taken various steps to give customers confidence that the use of Spoke’s products and services will be consistent with the GDPR:
- Built tools for data deletion and data export.
- Updated our Data Processing Addendum (DPA) to be GDPR-ready and contractually affirm our GDPR-readiness.
- Worked with our vendors who process EU personal data to enter into data processing agreements to ensure their processing of EU personal data is consistent with the GDPR.
- Subprocessors: Spoke uses third party services for business & operational efficiency. We establish agreements that require third party services to adhere to confidentiality and privacy commitments that Spoke has made to its customers. These data processors have access to certain customer data. Spoke uses the following subprocessors:
||Cloud Service Provider
||Cloud-based Hosted Database
|Mailgun Technologies, Inc.
||Cloud-based Email Service Provider
||Cloud-based Customer Support Services
||Cloud-based Payment Processor
||Cloud-based User Behaviour Analytics Services
||Cloud-based Customer Relationship Management
||Cloud-based SMS Services
||Cloud-based Analytics Services
||Cloud-based File Storage Services
||Cloud-based Logging Services
||Cloud-based Logging Services
|Astar Technologies Pvt. Ltd.
||Testing & QA services
||Cloud-based Analytics Pipeline Services
As Spoke grows, our subprocessors may change and we will notify customer of any updates in accordance with our contractual obligations. We will keep this list here on this page updated. Our DPA is available upon request. Please email firstname.lastname@example.org for a copy or if you have any other questions about security or privacy.
Last Updated | July 31, 2018