Security and Governance Feature Overview
Sprinklr specializes in security and brand reputation protection across all modern channels. We use a multi-layered, enterprise grade SaaS security feature combined with best in class configuration, policies, procedures, and processes to accomplish this objective. Download here.
Sprinklr 10-Point Security Checklist
We have gathered the ten best practices for social access security: your “10-Point Security Checklist”. While this is not 100% foolproof, it will go a long way to protecting your brand. Download here.
Sprinklr follows OWASP (Open Web Application Security Project) standard security controls for the application security. The Sprinklr SaaS application is developed internally by Sprinklr full-time employees who are provided annual training on secure coding practices. Each release follows the change management process and undergoes thorough Testing, QA and vulnerabilities are remediated.
Sprinklr performs periodic application penetration testing. The latest pen test report is available upon request under NDA.
The Sprinklr application is set behind Firewalls jointly managed by the Cloud Provider and Sprinklr. In addition, all internet traffic terminates in load balancing servers with dynamic IP addresses. Sprinklr continuously monitors the key parameters for all services or any unusual activity.
Responsible Disclosure Policy
Sprinklr utilizes a third party VDP platform for managing security vulnerabilities (continuous testing) reported by the security community. For more information, please refer to https://www.sprinklr.com/responsible-disclosure
Sprinklr’s production environment is completely virtual running in an Infrastructure as a Service third-party cloud environment. The Cloud Hosting Provider operates Tier IV data centers where visitor access is restricted. Data centers are designed to anticipate and tolerate failure while maintaining service levels. Sprinklr office facilities have CCTV video surveillance systems installed at all access points and a guard is on site 24/7.
Availability and Reliability
Sprinklr offers its service in High Availability mode and the service runs in 2 different (and isolated) zones. Failover testing is performed periodically.
Sprinklr performs periodic Infra penetration testing. The latest pen test report is available upon request under NDA.
Incident Response Plan
The Sprinklr Support team uses a follow the sun schedule to provide 24/7 support for issues, critical problems and incidents. Product Support Engineers work staggered during the US daytime and India-based Product Support Engineer(s) takes over for the US night shift (India day). This coverage is provided 365 days a year.
Automation processes are in place to restore the service from the backup data and code in the secondary location. Using automation, the entire service will be restored well within the defined Recovery Point Objective (RPO) and Recover Time Objective (RTO) objectives.
Sprinklr encrypts all Data at Rest (including backups).
As Sprinklr is SaaS, network level security is managed by the Cloud Provider with application level security managed by Sprinklr. HIDS, Firewall and various Health Monitoring tools and alerting systems are deployed on the network.
Sprinklr encrypts all Data in Transit using HTTPS with TLS encryption.
Sprinklr has incorporated data security and data privacy via multiple features as detailed below.
Sprinklr defines user access permission and a role-based access control (RBAC) approach, and they are used to determine user access privileges required. Different customized permissions and configured roles are assigned to the users as per the requirement.
Each Sprinklr user gets their own unique username. User passwords are stored one-way hashed with random salt.
Two-Factor Authentication (2FA)
Account owners and administrators may require that their users leverage this additional security layer as a second layer of defence. Sprinklr supports SMS-based multi-factor authentication.
Single Sign-On (SSO)
Sprinklr offers Single sign-on (SSO) for organizations that leverage this authentication service to give employees one set of login credentials to access multiple applications.
The Sprinklr platform can be restricted to selective IP via IP whitelisting.
HR, Security and IT
All employees are provided data security and data privacy training at the time of hire and annually thereafter. Employees are also regularly tested against phishing and social engineering.
Information Security and Privacy Policies
Sprinklr has detailed security and privacy policies in place. The policies are reviewed on an ad-hoc and at least on an annual basis.
Thorough background checks including criminal, and employment verification are performed on all employees during the hiring process.
Employee workstations are equipped with Full Disk encryption, Anti-Virus and remote wipe capabilities.
Compliance and Certifications
SOC 1 Type II and SOC 2 Type II
Sprinklr has received independent certification of SOC 1 Type II and SOC 2 Type II.
These SOC certifications are renewed annually and are available under NDA.
EU-US & Swiss-US Privacy Shield
Sprinklr maintains the E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certifications regarding the transfer of personal data from the EEA and/or Switzerland to the U.S.
The certifications can be viewed here.
Sprinklr is GDPR compliant and adheres to the requirements under the General Data Protection Regulation as a data processor and as a data controller.
Sprinklr is compliant under the new CCPA regulation.
Payment Card Industry Data Security Standard Compliant (PCI DSS)
The foundation of our platform is built on ensuring the privacy and security of our customers. Brands who accept credit card payments need a Cardholder Data Environment (CDE) that is Payment Card Industry Data Security Standard (PCI DSS) compliant. When accepting personal information from your customers, ensuring their data is protected is non-negotiable.
Sprinklr is PCI DSS compliant, which has been validated through a self-assessment as well a third-party review with a qualified security assessor or Attestation of Compliance (AOC). Sprinklr’s Modern Care is the first area of the platform to support this via our Live Chat feature.
Sprinklr’s CDE allows brands to transmit PCI secure information from their customers using Sprinklr Live Chat. Care agents can collect a customer’s credit card data and Personally Identifiable Information (PII) in a PCI compliant secure environment without moving between other communication channels to collect the information. Saving time and increasing purchase conversations while keeping customers happy and their information protected.