We at Sprout are dedicated to providing our clients with the best HR software for emerging markets— which means securing client data processes first and foremost.
Sprout Solutions takes data privacy very seriously and will always strive to ensure that the proper handling of information to protect the privacy and integrity of customer data.
Information Security
Sprout Solutions Phils. Inc. (SSPI) is ISO/IEC 27001:2013 certified and this ensures that we:
- Demonstrated ability to consistently provide services and information security that meet or exceed client service levels and applicable statutory and regulatory requirements;
- Implemented controls to safeguard sensitive and confidential client information assets; and
- Established, documented, and maintained and effective management system to foster an environment of continuous improvement.
Privacy
Protecting the individual’s privacy is crucial for us. We have created this Privacy Policy to demonstrate our firm commitment to the individual’s right to data protection and privacy. Our Privacy Policy outlines how we collect, use, disclose, transfer, store, and dispose your personal data.
Administrative, Physical, and Technical Measures
Presented below are some of the measures we’ve implemented to manage information security and privacy risks:
Business Continuity and Resilience
- Business continuity plan
- Sprout has developed a comprehensive business continuity plan and is designed to ensure that we will continue to provide services to our clients if we experience a disruption of any kind to our business operations.
- Cloud service provider
- Sprout is partnered with Microsoft Azure in establishing and consistently meeting security and privacy requirements.
- By default, Microsoft Azure ensures 99.999% disk availability and 99.95% uptime.
- Microsoft automatically creates 3 copies of a client’s VM for redundancy purposes.
- Sprout’s primary Data Center in Azure is located in Singapore while its backup resides in South Korea. Sprout’s Disaster Recovery site is located in South Korea.
- Azure meets a broad set of international and industry-specific compliance standards, such as General Data Protection Regulation (GDPR), ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards, including Australia IRAP, UK G-Cloud, and Singapore MTCS
- Microsoft Azure is subject to rigorous independent third party audits to verify compliance and conformance with standards and laws and regulations.
- Sprout is partnered with Microsoft Azure in establishing and consistently meeting security and privacy requirements.
Asset Management
- Assets are identified and classified according to their criticality and importance to SSPI.
- Proper asset disposal procedures are in place in a manner that makes it impossible to recover information.
Access Control
- User access
- Every employee will be issued with a user ID for systems they need to access as part of their job functions.
- Sprout HR & Sprout Payroll is governed by access rights and can be configured to define granular access privileges.
- Group Policy Objects (GPO) are in place to provide restrictions on end-user machines (both system & application level).
- Password security
- User accounts are protected by a password with complexity requirements, expiration and limits on reusability. A user’s password strength is required to be at the highest level to protect against password guessing or brute-force attacks.
- Secure Credential Storage
- SSPI follows secure credential storage leading practices by storing passwords as a secure, salted, one-way hash.
- Periodic user access review
- IT is in charge of quarterly reviews to ensure that access is given according to job role in the organization
Network Security
- Transmission security
- All communications with Sprout servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between Sprout and its users is secure during transit. Additionally, for email, Sprout supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.
- All email attachments are required to be password protected within an archive file.
Technical and Vulnerability Management
- Vulnerability and penetration testing
- SSPI contracts with an independent third-party security team to perform vulnerability and penetration tests to ensure the security of the applications and infrastructure. Any findings are prioritized and addressed accordingly.
Secure Development
- Security and privacy requirements
- Apart from business functionality requirements, embedding security and privacy in application development begins at the requirement gathering stage.
- Quality assurance
- A Quality Assurance department performs functional tests in test environments on all releases. Additional smoke testing is performed in production upon release. In addition, the QA team performs regression and performance testing where needed and/or applicable.
- Separate environments
- Testing and staging environments are separated physically and logically from the production environment. No actual service data is used in the development or test environments.
Product Security
- API Security & Authentication
- You can authorize against the API using either basic authentication with your username and password or with a username and API token. OAuth authentication is also supported
- Two-step verification for downloads with sensitive information
- Downloading bulk data with sensitive information requires an additional verification method sent via email to serve as another layer of security for sensitive data.
Competency and Awareness
- Continuous information security and privacy awareness, education and training throughout the organization helps SSPI build and maintain a “security culture”.
Stay updated
Information security and data privacy is critical to us and we constantly work to keep our services up to proper standards and free from breaches. We regularly revise our privacy and terms pages to observe privacy requirements.
You may access our pages on our website or at the links below.
SSPI Resources
Sprout Blog- The Data Privacy Act (RA 10173): Here’s What You Need To Know
External References
Microsoft Azure security documentation
Microsoft Azure service level agreement
