Overseeing our customer data goes beyond being a mere obligation; it constitutes a genuine passion within our company. We firmly believe that earning our customers' trust is an ongoing endeavor. To achieve that, we go beyond the routine adherence to norms and checkboxes; we infuse a sense of awareness and optimal approaches into our corporate ethos. This ensures that security and data privacy remain paramount when  shaping our application, overseeing our networks, and conducting our daily business

ThriveSparrow maintains a dedicated security team that includes not only security specialists, but every member of our company because we know security is only as strong as your weakest link.
‍

If you would like to report a vulnerability, please contact security@thrivesparrow.com with a proof of concept, a list of tools used, and the output of the tools. Once received, ThriveSparrow will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to address it.

‍The Data Processor agrees to process the Data only in accordance with relevant data protection laws and in particular on the following conditions:

ThriveSparrow relies on Amazon Web Services (AWS) to host our infrastructure. AWS data centers are fortified with multiple layers of physical access safeguards, including alarms, crash-rated outer perimeter fencing, electronic access cards, video surveillance, and internal trip lights. While we can't provide the exact physical address due to Amazon's security policies, you can find more details about AWS Security features in their whitepaper.
‍
To maintain software security, we employ a mix of automated and manual assessments to identify potential vulnerabilities in our systems. Our dedicated Infrastructure team stays current by reviewing security bulletins and prioritizing fixes based on our internal vulnerability policy.

ThriveSparrow has complete control over its infrastructure on AWS. This means that ThriveSparrow has full ownership and responsibility for its infrastructure, including the servers, storage, and networking resources that it uses. ThriveSparrow is not reliant on a third-party provider to manage its infrastructure.
Only authorized members of the ThriveSparrow Infrastructure Team can access and configure infrastructure. This ensures that only people who have been specifically authorized to do so can make changes to ThriveSparrow’s infrastructure. This helps to protect ThriveSparrow’s infrastructure from unauthorized access and tampering.
All-access to infrastructure requires two-factor authentication (2FA). 2FA adds an extra layer of security to access infrastructure by requiring users to enter a code from their phone in addition to their password. This helps to prevent unauthorized access to infrastructure even if a user's password is compromised.
The levels of authorization for infrastructure components are based on the principle of least privilege. This means that users are only granted the permissions they need to perform their job functions. This helps to protect ThriveSparrow's infrastructure from unauthorized access and misuse.

ThriveSparrow engages in annual grey box penetration testing carried out by an independent third-party agency. Additionally, ThriveSparow performs quarterly internal vulnerability assessment and penetration testing (VAPT). The corresponding reports are accessible upon request.

Amazon Web Services undergoes third-party independent audits and can provide verification of compliance controls for its infrastructure. This includes but is not limited to, ISO 270001, SOC 2, and PCI.

Each aspect of the ThriveSparrow service operates on suitably provisioned and duplicated servers, including multiple load balancers, web servers, and replica databases, to ensure continued functionality in the event of any failures. Our deployments are seamless with zero downtime, facilitated by Kubernetes. We enforce a controlled rollout and rollback strategy for services to swiftly address any deployment errors.

All data residing on ThriveSparrow servers is automatically encrypted at rest using AWS AES-256 and all the data in transit using strict TLS 1.2

ThriveSparrow adheres to a continuous delivery approach, ensuring that code changes undergo a swift cycle of committing, testing, shipping, and iterating. This methodology is reinforced by pull request assessments, continuous integration (CI), and automated security scans, which include the utilization of SonarQube for static code analysis and Dynamic Application Security Scanners. These measures substantially minimize the potential for security concerns and enhance the promptness of addressing vulnerabilities. Internally, every code alteration requires approval from an authorized reviewer, and deploying to our production environment is contingent upon comprehensive code reviews.

ThriveSparrow maintains internal copies of security documentation, which are updated on an ongoing basis and reviewed annually for gaps:
‍
Information Security Policy
Data processing agreement
Risk Assessment procedureIncident Response Plan
Business continuity procedure

ThriveSparrow conducts mandatory background and reference checks for all employees prior to joining our team.

Upon onboarding and annually thereafter, ThriveSparrow ensures the completion of a mandatory security awareness training program for both new and existing team members. This training encompasses the OWASP Top 10 vulnerabilities in the programming languages relevant to our developers.

In case of a data breach, ThriveSparrow adheres to GDPR guidelines, requiring customer notification within 48 hours of the breach, wherever possible.

ThriveSparrow offers a real-time operational status report on our dedicated page, allowing individuals to receive email notifications by subscribing to updates.