Document Owner : Gareth Jones
Last updated : April 26, 2022
This document provides an overview of our security and business continuity/resiliency policy for customers who need to know about what happens in the event of systems failure.
Sparrow is committed to providing the best possible experience to its customers and the best possible relationships with employees and shareholders.
To ensure the consistent availability and delivery of its products and services, Sparrow has developed the following security, business continuity and disaster recovery (BC/DR) policies in support of the program for BC/DR and overall business survivability.
The company, like any other firm, is exposed to potential risks that could disrupt or destroy critical business functions and/or the development and delivery of services.
Our strategy for continuing business in the event of an incident is to ensure the safety and security of all employees; and to continue critical business functions using its pre-existing remote work policy.
The company’s security policy follows the NIST (National Institute of Standards and Technology) Cybersecurity Framework, the following items have been explicitly called out for clarity. Further details of the Cybersecurity framework and NIST can be found here - https://www.nist.gov/cyberframework.
The purpose of the Security and BC/DR policy is to ensure that all Company business activities can be kept at normal or near-normal performance following an incident that has the potential to disrupt or destroy the Company.
The scope of this policy is the entire Company and employees in Canada.
Gareth Jones, CISO is designated as the corporate management liaison responsible for the Security and BC/DR program. Resolution of issues in the development of, or support of, all Security and BC/DR plans and associated activities, including external organizations and suppliers will be the lead by the above executive, in conjunction with executive leadership.
Most of Sparrow is Azure cloud-native, which no specific machine to be able to fail but rather a set of Microsoft Azure servers behind the scenes providing aggregated services. Sparrow Production environment takes advantage of geo-redundancy and other features to minimize the potential impact of failure, with more details below. Sparrow’s UAT environment is not maintained at the same level as it is intended testing purposes only, with no guarantee of data retention and continuity.
The creation of the entire Sparrow environment is scripted and can be recreated in a small number of hours. The maximum down time anticipated during this scenario is one business day.
Sparrow Connected has an entirely distributed team and therefore does not assume the risk associated with a central office facility.
We understand that you rely on the Sparrow Connected services to work. We’re committed to making Sparrow Connected a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.
An inventory of physical devices within the organization is kept and regularly monitored.
In the event of a laptop failure, corporate applications are automatically provisioned when the machine is connected to Azure Active Directory and Microsoft OneDrive will automatically synchronize user data. This results in minimal downtime.
The Sparrow for SharePoint solution is different than Sparrow for Microsoft Teams, the Sparrow Admin Portal, and Sparrow for Mobile, as it has configuration settings that are retained within SharePoint. Therefore, proper backup and recovery of those particular configuration settings are the responsibility of the customer.
Sparrow’s backend logic is configured to automatically restart themselves upon having health issues – from our Azure functions to our Event hubs. In addition, Sparrow’s logic components and primary database is configured with health monitoring alerts to inform the Sparrow team of potential issues that need active monitoring or potential intervention.
Sparrow’s primary database is cloud-native, meaning it not run within an explicit VM and subject to classic issues, instead it is automatically disrupted over multiple physical servers owned and operated by Microsoft behind the scenes. The primary database has a backup schedule of every 24 hours, with retention for 5 days. Sparrow’s UAT primary database is setup for 24-hour backups with 2 days of retention. It is expected that if there was a catastrophic database failure that the Sparrow database could be restored and returned to operation in less than 8 hours.
Sparrow’s production data warehouse is setup with locally redundant storage (within the same Azure region). This means in order for the data warehouse to be affected, the enter Azure Central Canada region has to be affected. In the event of that, Sparrow is able to rebuild its data warehouse in approximately 6 hours.
Sparrow uses a distributed, cloud-native architecture with event hubs and the like. This is most commonly used for issuing notifications and recording analytical events (like an individual user reading of a specific post). In the event of a catastrophic failure, it is possible that Sparrow could fail to issue notifications for a post (which could be re-published) or that some user analytical events could be lost.
All images and videos that have been uploaded to Sparrow as part of posts or events are captured in Azure storage. This is configured with geo-redundancy to ensure that it has distributed backups throughout Microsoft’s Azure network of servers, and that no explicit backup would be needed.
In the event of the most catastrophic of failures, Sparrow has scripted the ability to stand up nearly our entire production environment, from which a database backup could then be applied, additional scripts run, and Sparrow to be completely operational. Our objective is to be able to do this within 48 hours of such an event.
Sparrow will be instituting a data retention policy shortly, limiting the amount of time for which we will be retaining:
Currently this is 7 years, however refinements will be done based on customer and legal feedback, as well as providing customers with the ability to have customized values.
The Sparrow team is constantly looking at opportunities to raise our level of redundancy and increase our robustness. As we examine new technologies and look at our ever-growing options, we revisit the changes in the needs of our customers to see how we can exceed expectations.
Please feel free to contact us if you have any questions about Sparrow Connected's Security, Privacy Policy or practices.