Trust Center

Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.

Spreedly requires TLS v1.2 for its Core transactional API when supported by the connecting client. Beyond that single requirement, Spreedly’s secure configuration currently warrants an A+ rating from SSL Labs, meaning that Spreedly’s website security is resilient to attacks exploiting older weaker TLS versions.Spreedly uses the Advanced Encryption Standard (AES) with 256-bit keys when encrypting confidential data within the vault.  Each confidential record within the vault is encrypted using a separate, randomly generated, encryption key.  This key itself is then further protected by encrypting with an asymmetric key (RSA, 2048 bits).More details about Spreedly’s privacy program can be found here.

Spreedly leverages several reputable outside sources for threat intelligence. Ongoing, internal and external independent, recurring third party vulnerability scanning and multiple yearly penetration tests are the proactive measures we use to identify security vulnerabilities within our environment. Both static and dynamic application security testing is in place. This helps Spreedly identify different types of vulnerabilities in an application at different stages of development, providing a more comprehensive security analysis and ensuring maximum protection against potential threats. We also take a methodical risk based approach when managing vulnerabilities that align to Spreedly’s risk appetite and tolerance. Remediation timelines are based on industry standards and account for the agility needed to address zero day vulnerabilities.

Spreedly also performs social engineering tests such as phishing campaigns on a regular basis in addition to table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware

Protecting data and customers with a suite of layered security tools that work in concert to keep all Spreedly customers’ safe. This comprehensive set of security functionality allows customers to limit security breaches, protect PCI data, and avoid malicious network access.

‍Encryption in Transit
When connecting to Spreedly ID, all data is encrypted in transit using only supported TLS protocols.

‍Password Best Practices
‍Longer passwords are harder to guess/crack. Spreedly recommends creating passwords using passphrases. Passphrases are made up of longer sentences and/or words that are meaningful to a user (and not others) that allows one to more easily remember a password without writing it down. Session timeouts due to inactivity and forced log outs are also in place.

‍Multi-Factor Authentication (MFA)
‍MFA is a required protection for all Spreedly ID access. MFA enhances security by requiring another factor of login verification to Spreedly administration tools versus just a single username and password. A necessity to strengthen defenses – Multi-Factor Authentication (MFA) goes a long way in protecting sensitive PCI data and network access. While it’s never possible to stop all data breaches and attacks, MFA can help merchants reduce the likelihood of a cyberattack.

‍Role-Based Access Control (RBAC)
Compartmentalize access to sensitive areas of your Spreedly administrative tools: Security keys, reporting, and more by leveraging RBAC. Spreedly offers several pre-configured roles to ensure the appropriate administration and needed separation for specific functions.Organizations can manage their own users’ access to sensitive company information by selecting the appropriate role(s) of key customer stakeholders. These user access controls result in a more secure method for employees to access the unique information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.

Spreedly will provide security notifications here related to potential threats to Spreedly information systems, our response, current status, and risk posture.

These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Spreedly performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.

From an architectural perspective, Spreedly seeks to embrace zero trust security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication) from inventoried and managed devices. And we measure our resilient information security posture against the Secure Controls Framework (SCF), bettering our ability to prevent, detect, and respond to information security attacks. We also maintain an "A" for our Security Scorecard score click below for the details.

Spreedly leverages layers of controls to ensure the privacy and protection of customer data. Our privacy program includes but is not limited to a comprehensive data classification and handling policy along with directive and technical controls for data retention, sanitization, loss/leakage prevention, masking, and encryption at rest and in transit.

Spreedly is General Data Protection Regulation (GDPR) compliant, and maintains GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. More information about our GDPR compliance can be found here.

Spreedly complies with EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. Learn more about the Data Privacy Framework (DPF) program, and view our certification. Spreedly also utilizes Standard Contractual Clauses with EU Data Controllers to ensure compliance with EU law regarding data protection.

View our Privacy Policy.
‍
If you need to modify the Privacy Controls for this site click "Privacy Settings" located at the bottom of every page.

Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.

Several observability tools are leveraged to monitor the four golden signals of latency, traffic, errors, and saturation utilizing synthetic transactions and other technical measures to address issues before they cause customer impact. Comprehensive logging is in place for key activities along with automated alerting that initiates Spreedly’s incident response process.

Spreedly maintains an Incident Response (IR) policy and procedures for detecting, monitoring and responding to actual or reasonably suspected intrusions and security incidents, and reporting actual or reasonably suspected security or privacy incidents. Incident Commanders and Incident Response Teams receive annual training and participate in regular IR exercises. Problem management processes are in place to ensure post-incident review of events along with a root cause analysis is conducted with actions taken to prevent recurrence.

Spreedly reviews its business continuity plan at least annually and conducts regular tabletop exercises to address business continuity of key people, processes, and third parties. An annual disaster recovery exercise for critical technology resiliency is in place to confirm we can meet our Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Spreedly’s card data environment (CDE) is architected in a resilient manner via multiple availability zones in multiple AWS regions.

Customer impacting incidents along with post-mortems are posted on our Status Page. Customers can subscribe to receive real-time incident notifications via this same link.We pride ourselves in providing at least 99.9% uptime for services related to Payment Orchestration.

Robust Information Security is a paramount capability and business requirement for our company.While we don’t offer a bug-bounty or similar rewards program for submitting unsolicited information security vulnerabilities or potential incidents, we remain grateful for your efforts in helping “raise the [security] tide of all boats” operating on the World Wide Web.If you’re willing to submit your finding within these constraints, submission details can be found here.