security

Your data is the lifeforce of your business and compliance. At Sapium, we protect your data from the ground up by following industry best practices centered around cloud security.
Privacy
We never sell your data to third parties. Your data belongs to you, and our team will never access it unless by your confirmed instruction. Moreover, your data may be deleted upon request in line with your rights as defined in your region. Learn more in our Privacy Policy.
Data hosting & physical security
We use Amazon Web Services (AWS) data centers in the United States, specifically in the us-east-1 facilities. These data centers and associated systems are best-in-class and meet numerous certifications including ISO 27001 and SOC 1-3. We follow AWS security best practices, leveraging AWS Security Hub and AWS Config to check and manage infrastructural security.
Logical Access
Access to physical and application systems is restricted to least-privilege and has strict safeguards like multi-factor authentication. Such access is also logged and monitored per our policies.
Encryption
Data in encrypted in transit and at rest. Data in transit is encrypted using Transport Layer Security (TLS), enforced with features like HTTP Strict Transport Security (HSTS). Encryption of data at rest (including backups) uses the industry standard AES-256 algorithm, and is handled transparently by AWS services themselves, such as AWS Relational Data Store (RDS), using keys managed by AWS Key Management Store (KMS).
Isolation and public IPs
Our virtual servers are logically isolated within an AWS virtual private cloud (VPC), and do not have public IPs. AWS security groups, network access control, and internet gateways control access to our internal network and block unauthorized access.
DDoS and firewall
We have a robust, layered infrastructure to control access to the application, including Cloudflare, AWS Cloudfront, AWS Web Application Firewall (WAF), and AWS Shield. These top-level systems prevent malicious requests from reaching the application.
Intrusion Detection and Prevention
We use services like Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect the application, network, and data. When security events exceed determined thresholds, our security team acts fast, in accordance with our policies.
Business continuity
Database are backed up on a daily basis and encrypted. Our recovery procedures leverage systems like point-in-time logs and redundant version control to recover data much closer to failures. Our recovery policies enable us to restore service in the event of such unavoidable failures.
Traceability
Audit logs exist at all levels, including network, database, AWS console, and application. These logs are streamed to AWS CloudWatch for viewing and analysis, as well as being held at the server-level and redundantly archived on Amazon S3.
Passwords and access attempts
Passwords are never stored in plaintext and are only transmitted using TLS. Credentials as stored as one-way hashes, generated using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. We also enforce a password complexity standard. Login attempts are tracked and after a small number of attempts, authentication will be blocked.
Application security
We use mature, open-source, modern application frameworks and libraries in both the frontend and backend applications, which come with robust security controls, limiting risks like the OWASP Top 10, and protecting against Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), SQL Injection (SQLi), and many more.
Application access
Application access is strictly managed per our policies and is governed by object-level role-based access control (RBAC). Granular roles include administrators, contributors, viewers, and more.
Secure development
We have a robust QA process that uses software development version control, code review, and manual and automated testing. Environments are isolated and live customer data is never used in testing and staging environments.
Exercising Your Rights
If you would like to exercise your rights under the GDPR, please submit your request to gdpr@sapium.io.

If you would like to exercise your rights under California law with respect to your personal information, please submit your request to ccpa@sapium.io
More information
We're always happy to provide more detail, just email us at security@sapium.io or ask your sales representative.

Third-party infrastructure subprocessors

A third-part subprocessor is a company engaged by the Sapium team (Gaussian Holdings, LLC) to process personal data on behalf of customers and who receives data from Sapium services. This is with the purpose of delivering all Sapium services to customers.
Amazon Web Services, Inc.

Used for: Full cloud service provider, incl hosting, email processing
Location: United States
Cloudflare, Inc.

Used for: Networking, DNS
Location: United States
Google LLC

Used for: Google Cloud Platform (Google authentication)
Location: United States
The Rocket Science Group LLC

Used for: Email marketing
Location: United States
HubSpot Inc.

Used for: Customer support, customer relationship management
Location: United States