Sprout Security Features

We at Sprout are dedicated to providing our clients with the best HR software for emerging markets— which means securing client data processes first and foremost.

Sprout Solutions takes data privacy very seriously and will always strive to ensure that the proper handling of information to protect the privacy and integrity of customer data.

Physical Security

• Data Centers
  • Sprout is partnered with Microsoft Azure, the leader in the cloud industry in establishing clear security and privacy requirements and then consistently meeting them
  • Azure meets a broad set of international and industry-specific compliance standards, such as General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS
  • Rigorous third-party audits, such as those done by the British Standards Institute, verify Azure’s adherence to the strict security controls these standards mandate
• Redundancy
  • By Default, Microsoft Azure ensures 99.999% disk availability and 99.95% uptime.  Additionally, admins are also offered to create a backup on a different When creating a Virtual Machine in Azure, Microsoft automatically creates 3 copies of a client’s VM for redundancy purposes. Data Center or a different region across the globe. Sprout’s primary Data Center in Azure is located in East Asia while its backup resides in Southeast Asia
• Disaster Recovery
  • DR sites can be placed on the same region as a client’s primary DC’s region but Microsoft’s recommendation is to put their DR site on the different region. Sprout DR site is located in South Korea
• Asset Disposal Procedure
  • Technology Assets usually contains confidential company data which simply cannot be disposed of: proper disposal of any asset containing data is usually mandated by law, Hard Disk Drives, USB drives, and other Storage media devices contain various kinds of data and some of which are considered sensitive. To protect Sprout’s company data proper disposal procedures are to be executed
  • Disposal procedure involves doing a Low-Level Format, Boot and Nuke and destroying the physical device by drilling holes on it. These procedures should satisfy that no Data/Information can be retrieved
• Measures
  • Appropriate and up-to-date organizational, physical, and technical controls are in place to manage these risks

Network Security

• System Access Control
  • Every employee will be issued with a unique identification code (NTLogin) by Affiliate IT Representative to access the business technology and will be required to set a password for access
  • Affiliate IT Representative is in charge of quarterly reviews to ensure that access is given according to job role in the organization
  • Group Policy Objects (GPO)  are in place to provide restrictions on end-user machines (both system & application level)
• Transmission security
  • All communications with Sprout servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between Sprout and its users secure during transit. Additionally, for email, Sprout supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers
• IP Restrictions
  • Sprout software can be configured to only allow access from specific IP address ranges the authorized users defined

Application Security

• Vulnerability and Penetration Testing (VAPT)
  • Sprout hires third-party security experts to perform detailed penetration tests to ensure the security of the infrastructure
• Privacy Management Policies
  • Privacy principles are embedded across all departments, are cascaded throughout the organization, and are updated as needed  
  • Access of specific information will depend on the user levels
  • Encryption for data

Secure Development

• Quality Assurance
  • A Quality Assurance department reviews and tests the Sprout code base

• Separate Environments
  • Testing and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments
• Privacy Management Policies
  • Privacy principles are embedded across all departments, are cascaded throughout the organization, and are updated as needed  
  • Access of specific information will depend on the user levels
  • Encryption for data

Sprout DPA Commitment to Data Privacy Act (RA 10173)

The Data Privacy Act, or the DPA, protects the personal and sensitive information of customers by providing companies proper guidelines for handling user data.

As soon as the DPA was passed we implemented proper measures to establish proper compliance with RA 10173. These measures include:

Certification

• Certificate of Registration for system (NPC Circular 1701)
  • Both our systems (Sprout HR and Payroll) are officially registered in the NPC (National Privacy Commission)
  • Sprout has 2 DPOs: For legal and technical matters, respectively
• ISO Security Policies & Procedures
  • Information Security
    • Information Classification
  • System Access Control
  • Physical Access Control
  • Email Security Control
• Privacy Impact Assessment
  • Sprout has an Up-to-date organizational inventory of processes that handle personal data, including the list of process owners

Product Security

• Password security
  • A user’s password strength is required to be at the highest level to protect against guessing or brute-force attacks. All passwords are required to be reasonably complex and difficult for unauthorized people to guess
  • Secure Credential Storage
    • Sprout follows secure credential storage best practices by storing passwords as a secure, salted, one-way hash
• API Security & Authentication
  • You can authorize against the API using either basic authentication with your username and password or with a username and API token. OAuth authentication is also supported
• Two-step verification for downloads with sensitive information
  • Downloading bulk data with sensitive information requires an additional verification method sent via email to serve as another layer of security for sensitive data
• Access Privileges & Roles
  • Sprout HR & Sprout Payroll is governed by access rights and can be configured to define granular access privileges
• Training records
  • Data privacy training and awareness is implemented in Sprout’s processes

Stay informed

Data privacy and security is critical to us and we constantly work to keep our services up to proper standards and free from breaches.

We regularly revise our privacy and terms pages to observe DPA requirements. You can access our pages on our website or at the links below.

We will be posting more updates on this page, so for more news on Sprout’s compliance with the DPA, you may check back here.

Resources

Sprout Privacy Policy

Sprout Terms and Conditions

Sprout blog- The Data Privacy Act (RA 10173): Here’s What You Need To Know

External Resources

Republic Act 10173

Microsoft Azure Security and SLAs

• Security Documentation: https://docs.microsoft.com/en-us/azure/security/
• Service Level Agreement Summary: https://azure.microsoft.com/en-us/support/legal/sla/summary/
  • Azure Backup:

https://azure.microsoft.com/en-us/support/legal/sla/backup/v1_0/

• Cloud Services and Virtual Machines: https://azure.microsoft.com/en-us/support/legal/sla/virtual-machines/v1_8/
• Azure Site Recovery: https://azure.microsoft.com/en-us/support/legal/sla/site-recovery/v1_2/
• Azure SQL Database: https://azure.microsoft.com/en-us/support/legal/sla/sql-database/v1_1/
• Storage:

https://azure.microsoft.com/en-us/support/legal/sla/storage/v1_3/