Hosting & security
Sprout Social aims to help businesses of all sizes become better marketers, create stronger relationships with their customers, be more informed decision makers, and create the world’s most beloved brands.
In business since 2010, Sprout Social has more than 25,000+ paying customers who trust us to help them manage many millions of daily conversations. Our technology is designed and stewarded with our customers and their audiences, hundreds of millions strong, in mind. We work daily to build lasting relationships through a culture of customer success and support.
Reliability & availability
Sprout Social strives to minimize service impacts and downtime. We design our systems for fault tolerance, and our teams are trained for rapid incident recovery. It is in our ethos to avoid downtime at all costs, unplanned or planned. We never impose maintenance downtime if it is avoidable—because it usually is. Elements of business continuity and disaster recovery are woven into our practices and our systems. They are not an afterthought, or a task relegated to a single team.
A proven track-record
99.99% uptime is a key performance indicator (KPI) for our Engineering group. At the time of writing, we had higher than 99.95% uptime over the prior 6 and 12 months.
Transparency to customers
Trust begins with open communication. We publicly share real-time system status and metrics on our Status Websites, https://status.sproutsocial.com for Sprout Social and https://status.getbambu.com for Bambu. There we communicate incidents and planned maintenance, including any customer impact, and we display system health metrics sourced from independent third-party providers. Customers may subscribe to receive immediate SMS or email notifications of future incidents.
Social media feeds
Our data ingest layer combines multiple connections to social network APIs. As certified partners, social networks like Facebook, Twitter, Instagram and Linkedin provide us with higher levels of redundancy and access to their support teams.
Backups are taken frequently, encrypted in transit and at rest, and are tested regularly. Backups are kept "off-site" in Amazon S3 which stores files on multiple physical devices in multiple facilities offering 99.999999999% durability and 99.99% availability.
Transparency to our teams
Internally we practice multidisciplinary, blameless post-mortem analysis, and seek to grow our people, procedures, and systems in the aftermath of failure. Fear is the enemy of progress.
Our highly distributed backend platform employs isolation design patterns to mitigate risks across components. Failures of one component rarely affect other components.
Recovery point objectives (RPOs)
Recovery strategies are designed to provide up-to-date RPOs at low Recovery Time Objectives (RTOs), with older data recovered against longer RTOs. This is consistent with customer expectations in Social Media, allowing customers to meet the immediate needs of their customers.
DevOps best practices
Our engineering team practices Infrastructure-as-code, providing correctness, consistency, testability, and speed to recovery. All 24/7/365 on-call team members are empowered to rebuild systems and topologies with full consistency. In the event of system loss, our Engineering team quickly recreates systems by executing the infrastructure code.
Monitoring & on-call support
We monitor continuously from around the world, displaying, alerting, and reporting upon our entire technical environments in real-time. Supporting customers is a collaboration between our customer-facing support team and our engineering team. Specialized engineers are on call 24/7/365.
When problems occur our teams are promptly notified, automatically provided with context, and are enabled with tools to help collaborate efficiently with peers. We employ a triage pager system to ensure alerts quickly and reliably reach engineers.
Sprout Social’s products are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.
Customer data is hosted in the United States, in AWS’s us-east-1. Sprout Social is Privacy Shield certified to transfer personal data from the European Union and Switzerland, and is GDPR compliant.
AWS's data centers are outfitted with world-class physical hosting capabilities. Buildings have temperature and humidity monitoring and management, automatic water detection and removal, and automatic fire detection and suppression. Combinations of multiple power feeds, Uninterruptible Power Supply (UPS) systems, and on-site electrical generators provide layers of backup power. Telecommunications and Internet connections are redundant. There are no product dependencies on Sprout Social corporate offices or other facilities we manage.
Additional security is applied to information technology rooms and systems including forced open door alarms, thread and electronic intrusion detection systems, multi-factor authentication, and media destruction per
Data Center buildings have strict physical access review and scrutiny. All physical access is monitored 24/7 by personnel. Multi-factor authentication is required for all visitors. Continuous monitoring for unauthorized access is done through video surveillance, intrusion detection, and access log monitoring systems.
Infrastructure & network security
Sprout Social employs a dedicated security team. All systems are monitored and alerted 24/7/365 for security and operational events. Host-based Intrusion Detection Systems (IDS) are deployed on all production systems.
Our private network is segmented into multiple security zones. These bring increasing levels of control, in proximity to customer data.
Incident management & response
Sprout Social's incident response planning and procedures are based on NIST standards. All incident reports are promptly investigated, reported and remediated as necessary. The response plan and procedures define all the steps to ensure a consistent process.
Systems and applications are scanned regularly for common vulnerabilities.
Encryption at rest & in transit
All communications over public networks with Sprout Social’s application and API utilize HTTPS with TLS 1.2 or higher enforced. All data is stored encrypted-at-rest with AES-256 or greater, including backups.
Best practices are utilized, such as least privilege, central configuration management, and stringent host and network firewall policies. Servers are patched automatically on a regular schedule, with high-priority patches applied manually out-of-cycle.
Sprout Social's developers are given annual training on secure coding. All application code is written by Sprout Employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.
Third-party penetration testing
Sprout Social contracts with multiple penetration testing vendors to conduct several tests per year. Reports are available upon request by customers under NDA.
Distributed Denial of Service mitigation is provided via our hosting platform.
Responsible disclosure policy
Security researchers may report vulnerabilities through Bug Crowd. (link: https://bugcrowd.com/sproutsocial). Learn more about our policy at https://sproutsocial.com/responsible-disclosure-policy.
Employees & internal IT
In addition to developers receiving secure coding training, all employees participate in annual general security and data privacy training. Phishing drills are routinely administered, and measured against industry benchmarks.
Information security policies & standards
Sprout Social has a comprehensive set of policies and standards covering all aspects of security and privacy. All Employees must affirm their responsibilities in protecting customer data as part of their condition of employment.
Secure support protocols
Our world-class Support team follows phishing and threat-resistant protocols designed by our Security team, when conducting sensitive actions on customer accounts.
Sprout Social offices are secured by keycard access. Office networks are segmented, centrally monitored, and protected by firewalls and Intrusion Prevention devices. Our products have no dependencies on our company’s offices or other facilities we manage.
All Sprout Social devices are inventoried with asset tags and managed with a central mobile device management (MDM) solution.
Employee workstations are secured with hard drive encryption, Antivirus and advanced malware detection with central management and control.
All new hires with access to customer data undergo a criminal history and background check prior to employment.
Like the hosting of our products, while Sprout Social maintains physical offices around the world, the continued operation of our business is not dependent on these offices. Our products, customer service, and overall business operations are enabled to carry on uninterrupted by physical incidents or issues at our offices. During the COVID-19 (Coronavirus) pandemic, Sprout Social transitioned to an all-remote workforce without delay or interruption, ensuring continuity of services to our customers. Our team is equipped with Cloud-based tools and remote access & collaboration solutions, and makes use of these tools daily.
Product security features
Multi-factor authentication (MFA)
Account owners and administrators may require that their users leverage this additional security layer. Sprout Social supports apps like Google Authenticator and others that implement the Time-based One-time Password Algorithm (TOTP) or HMAC-based One-time Password Algorithm (HOTP) for generating passcodes.
Secure credential storage
Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.
In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.
Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.
Sprout Social may be configured to restrict application and API access from specific IP ranges.
Single sign-on (SSO)
Sprout Social offers SAML 2.0 Single sign-on (SSO) for organizations that leverage this authentication service to give employees one set of login credentials to access multiple applications. Our engineering team works with customers to implement custom SSO integrations across both web and mobile.
Sprout Social implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Sprout Social, helping to prevent spoofing and ensure authenticity.
Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users on their account.
Global publishing pause
In times of crisis, your team has access to one button that temporarily disables any automated scheduled and queued messages from being sent by Sprout Social. This is accessible from our web and mobile applications.
Compliance & certifications
SOC 2 Type 2
Sprout Social received independent certification of our SOC 2 Type 2 compliance in December 2019, and our annual compliance has been maintained since.
EU-US & Swiss-US Privacy Shield
Sprout Social holds a Privacy Shield certification under these frameworks established by the U.S. Department of Commerce regarding the transfer of personal data from the EEA and/or Switzerland to the U.S.
CSA STAR Level 1
Sprout Social is a member of the Cloud Security Alliance (CSA) - the world's leading independent organization dedicated to defining best practices for cloud service providers. In the spirit of transparency, Sprout provides answers to common questions customers may have of their cloud provider here.
Sprout Social holds a whole company Cyber Essentials certification. Backed by the United Kingdom government and industry-supported, the Cyber Essentials scheme assesses an organization’s security controls against common cyber threats. As a certified organization, Sprout Social is eligible to bid on UK Government contracts involving the handling of certain sensitive and personal information.
General Data Protection Regulation (GDPR)
Sprout Social is GDPR compliant as both a data controller and data processor of personal data under the General Data Protection Regulation.
California Consumer Privacy Act (CCPA)
Sprout Social is CCPA compliant, providing California consumers with more control over the personal information collected about them.
Payment Card Industry (PCI) compliance
Sprout Social is PCI SAQ-A compliant. Payment transactions are outsourced to third-party payment processors compliant to PCI-DSS Level 1.
Crown Commercial Service (CCS) Supplier
Sprout Social is a Cloud Software supplier through the Crown Commercial Service’s (CCS) G-Cloud 12 Digital Marketplace. The G-Cloud procurement framework helps customers in the United Kingdom (UK) public sector find and purchase cloud services, with the knowledge that each supplier has undergone review by the CCS.
Official social media partnerships
Sprout Social is recognized as an official partner of Twitter, Facebook, Instagram, LinkedIn, Pinterest, and Google My Business.