Security

Spare Data Security

Keeping our customers' data safe is our priority

Overview

Spare respects our customers' privacy and keeping our customers' data protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected].

SOC-2 and HIPAA compliance

Spare has been audited by an independent certified auditor and is certified to SOC 2 Type II. SOC 2 is widely recognized as the gold standard for data security and requires organizations to establish and follow strict information security policies and procedures. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Spare.

Additionally Spare has independently verified compliance to HIPAA. HIPAA compliance involves fulfilling the requirements of the Health Insurance Portability and Accountability Act of 1996, its subsequent amendments, and any related legislation such as HITECH.

Infrastructure

  • All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers.
  • Our service is built on Google Cloud Platform (GCP). They provide strong security measures to protect our infrastructure and are compliant with most certifications.

Data Security

Our data center is located in Canada. It is a ISO 27001, GDPR, HIPAA compliant facility. Our servers separated on dedicated virtual machines from other data center customers. We enforce TLS for connections used in transferring data and encrypt it while it is on disk.

Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  • A firewall that monitors and controls incoming and outgoing network traffic.
  • An Intrusion Detection and/or Prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets.
  • IP address filtering

DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS).

Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

Data retention and removal

Organizations on Spare Platform can configure security requirements to meet their needs, including automatic removal an anonymization of user data in compliance with GDPR regulations.

Business continuity and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

Application security monitoring

  • We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
  • We use technologies to monitor exceptions, logs and detect anomalies in our applications.
  • We use monitoring such as open tracing in our microservices.

Application security protection

  • We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
  • We use security headers to protect our users from attacks. You can check our grade on this security scanner.
  • We use security automation capabilities that automatically detect and respond to threats targeting our apps.

Secure development

We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them has known vulnerabilities

Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

You can report vulnerabilities by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

Coverage

  • spare.com
  • sparelabs.com
  • platform.sparelabs.com
  • api.sparelabs.com
  • routing.sparelabs.com
  • forms.sparelabs.com

Exclusions

  • other subdomains of sparelabs.com
  • other subdomains of spare.com

Accepted vulnerabilities are the following:

  • Cross-Site Scripting (XSS)
  • Open redirect
  • Cross-site Request Forgery (CSRF)
  • Command/File/URL inclusion
  • Authentication issues
  • Code execution
  • Code or database injections

The following categories of vulnerabilities or reports are out of scope for our bug bounty program:

  • Logout CSRF: Logout cross-site request forgery reports are out of scope.
  • Account/email enumerations: Reports of account or email enumeration are not eligible.
  • Denial of Service (DoS): Any form of DoS attack, including volumetric or application-level attacks.
  • Attacks that could harm the reliability/integrity of our business: Any activity that degrades service availability or business integrity.
  • Spam attacks: Reports involving spam or other mass-message attacks.
  • Clickjacking on pages without authentication and/or sensitive state changes: Clickjacking vulnerabilities are only considered in the context of authenticated or sensitive actions.
  • Mixed content warnings: Reports about mixed HTTP/HTTPS content.
  • Content spoofing / text injection: Non-impactful text injections or content spoofing.
  • Timing attacks: Unless they have a clear and demonstrable impact, timing attacks are out of scope.
  • Social engineering: Phishing or any form of social engineering against our employees or customers.
  • Phishing: Any attempts or vulnerabilities related to phishing are out of scope.
  • Insecure cookies for non-sensitive cookies or 3rd party cookies: Issues related to insecure cookies that are not tied to sensitive data or operations.
  • Vulnerabilities requiring exceedingly unlikely user interaction: Reports requiring highly improbable user interactions.
  • Exploits that require physical access to a user's machine: Any exploit requiring direct physical access.
  • Exploits within 3rd party managed services: Vulnerabilities within third-party services we do not directly control.
  • Use of leaked credentials: Reports involving leaked or stolen credentials are out of scope.
  • Lack of SPF/DKIM/DNSSEC: Missing or misconfigured SPF, DKIM, or DNSSEC is out of scope.
  • TLS/SSL ciphers: Weak or outdated TLS/SSL ciphers are out of scope unless directly exploitable.
  • Verbose error messages: Reports about overly detailed error messages without proven exploitability.
  • Self-XSS: Self-cross-site scripting that requires the victim to perform actions like pasting scripts into the console.
  • Outdated software versions: Merely identifying outdated libraries, frameworks, or software without an exploitable vulnerability.
  • Reports based on automated scanning tools: Submissions that only include unvalidated output from automated security scanners or fuzzers.
  • Missing security headers: Lack of security-related HTTP headers (e.g., CSP, HSTS) unless an exploitable scenario is demonstrated.
  • Open ports with no exploitable service: Reports on open ports that do not expose any security impact.

User protection

Role-based access control

Advanced role-based access control (RBAC) is offered on all our enterprise accounts and allows our users to define roles for administrators.

Account takeover protection

We protect our users against data breaches by monitoring and blocking brute force attacks.

Compliance

GDPR

We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply to GDPR.

Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

Employee access

  • Our strict internal procedure prevents any employee or administrator from gaining access to user data. Limited exceptions can be made for customer support.
  • All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.