At Spare, we are deeply committed to the security and privacy of your data. We continuously invest in robust security measures and independent audits to ensure your information is protected. For a detailed and real-time overview of our security posture, please visit our Trust Center.

‍

‍

‍

Security & Compliance

We are proud to have our security practices and controls validated against globally recognized standards.

‍

Our Layered Approach to Security

We employ a defense-in-depth strategy to protect our systems and your data at every layer.

‍

• Personnel Security: Our strict internal procedures prevent employees or administrators from gaining access to user data, with limited, audited exceptions for customer support. All our employees sign a Non-Disclosure and Confidentiality Agreement when joining the company to protect our customers' sensitive information.
• Infrastructure & Data Residency: Our services are built on the secure and compliant Google Cloud Platform (GCP). We operate infrastructure in Canada, the United States, the European Union, and Japan. Customer data is processed and stored within its respective region to meet data residency and compliance requirements. All of our hosting environments adhere to ISO 27001, GDPR, and HIPAA standards.
• Data Protection & Isolation: We enforce TLS encryption for all data in transit and encrypt all data at rest using industry-standard protocols. Customer environments are logically isolated, and access to data is tightly controlled through strict access policies, continuous monitoring, and regular audits to ensure data security and integrity.
• Application & Network Security: We employ a defense-in-depth strategy that includes firewalls, intrusion detection systems (IDS/IPS), DDoS mitigation, and secure development practices (OWASP Top 10) to protect our applications and network from emerging threats.
• Secure by Design: Security is integrated into every stage of our development lifecycle, from regular developer training and code reviews to continuous vulnerability scanning and dependency management.

‍

Your Central Hub for Security and Compliance

For complete transparency and to provide you with the most current information, we have centralized all of our security and compliance documentation in our Trust Center. This is your single source of truth for our security posture.

‍

In the Trust Center, you can:

‍

• View our certifications and audit reports in real-time.
• Access our key security policies and procedures.
• See the results of our continuous security monitoring.
• Securely request access to detailed security documentation.

‍

Visit the Trust Center

‍

‍

Payment Information

All payment processing is securely handled by Stripe, a certified PCI Level 1 Service Provider. We do not collect, store, or have access to any payment information on our servers.

‍

Responsible Disclosure & Bug Bounty Program

We encourage everyone that practices responsible disclosure and complies with our policies to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Do not disclose any information regarding vulnerabilities until we have had a chance to remediate them. Rewards are provided at our discretion depending on the criticality of the vulnerability reported.

‍

You can report vulnerabilities by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and will not take legal action if you follow the rules.

‍

Program Scope

‍

In Scope:

• spare.com
• sparelabs.com
• platform.sparelabs.com
• api.sparelabs.com
• routing.sparelabs.com
• forms.sparelabs.com

Exclusions:

• Other subdomains of sparelabs.com
• Other subdomains of spare.com

Accepted Vulnerabilities

‍

• Cross-Site Scripting (XSS)
• Open redirect
• Cross-site Request Forgery (CSRF)
• Command/File/URL inclusion
• Authentication issues
• Code execution
• Code or database injections

Out of Scope Vulnerabilities

‍

The following are out of scope for our bug bounty program:

• Logout CSRF
• Account/email enumerations
• Denial of Service (DoS) attacks
• Attacks that could harm the reliability/integrity of our business
• Spam or mass-message attacks
• Clickjacking on pages without authentication or sensitive state changes
• Mixed content warnings
• Content spoofing / non-impactful text injection
• Timing attacks without clear, demonstrable impact
• Social engineering or phishing
• Insecure flags on non-sensitive cookies
• Vulnerabilities requiring exceedingly unlikely user interaction
• Exploits that require physical access to a user's machine
• Vulnerabilities within third-party services we do not directly control
• Use of leaked or stolen credentials
• Missing SPF/DKIM/DNSSEC records
• Weak or outdated TLS/SSL ciphers unless directly exploitable
• Verbose error messages without proven exploitability
• Self-XSS
• Outdated software versions without an exploitable vulnerability
• Reports based solely on unvalidated output from automated scanning tools
• Missing security headers (e.g., CSP, HSTS) unless an exploitable scenario is demonstrated
• Open ports with no exploitable service

‍

Have Questions?

Your trust is important to us. If you have any general security-related questions, concerns, or feedback, please don't hesitate to reach out to our security team.

‍

Contact us at: [email protected]

‍