Introduction
We take Sparrow Connected security seriously. The security of your data is one of our most important responsibilities. This document explains what we do to keep your data secure.
Personnel Security
All employees and independent contractors who work with Sparrow Connected and have access to our internal systems are required to understand and follow our internal policies and standards. Before accessing our systems, all workers agree to confidentiality terms and attend security training. This training covers privacy and security, acceptable use, preventing malware, account management, physical security, and data privacy.
While working with Sparrow Connected, everyone is required to refresh privacy and security training annually. They are also required to acknowledge that they have read and understand our information security policy and code of conduct. Some employees who have elevated access to our systems and data receive additional job-specific training on privacy and security.
Upon termination of work at Sparrow Connected, all access to Sparrow Connected systems is removed immediately.
Physical Security
Built on Microsoft Azure’s cloud infrastructure, Sparrow Connected delivers enterprise-grade reliability and security for internal communications teams. The platform utilizes a fully managed, geo-redundant architecture with automated, AES-256 encrypted backups to ensure continuous uptime and data protection both at rest and in transit. By anchoring our infrastructure in Microsoft’s security ecosystem, we provide a resilient, high-performance network that seamlessly scales while adhering to strict data protection standards.
Secure by Design
Sparrow Connected follows a Secure Development Lifecycle. During the design phase, our product team assesses and qualifies any possible security issues. The risk analysis leverages the product team's experience and aligns with OWASP Top 10 development practices.
All code is checked into our version-controlled repository, and code changes are reviewed by peers. Sparrow Connected has a dedicated application testing team, and all software releases pass rigorous testing before being released to production.
The Sparrow Connected application is deployed on hardened systems, and our development operations team follows recommended practices to secure our OS and web servers. We perform active inspection of vulnerabilities and maintain server-level firewalls.
Our web application performs input validation and safely encodes output. All data transmitted between client and server is done via HTTPS. The Sparrow Connected application uses server-side sessions with defined user roles, user authentication, and password management.
Protecting Customer Data
Compliance Certifications and Attestations
Sparrow Connected is committed to achieving and maintaining the trust of our customers. As part of this commitment, Sparrow Connected maintains compliance standards aligned with industry best practices, regulatory, federal/state rulings, international/regional laws, and industry-specific requirements.
 |
ISO/IEC 27001 Information Security Management System (ISMS) Certificate Status and Download |
 |
ISO/IEC 27701 Privacy Information Management System (PIMS) Certificate Status and Download |
Data Encryption
Sparrow Connected uses strong encryption when transmitting data over public networks, including the use of TLS 1.2 and 1.3 protocols, AES-256 encryption, and SHA signatures. This is the standard internet communication encryption used by all e-commerce sites, banking, and other high security web-based systems.
We use Azure database encryption for our database and snapshots. Azure encrypted databases use the industry standard AES-256 encryption algorithm to encrypt your data on the server hosting your database instance.
Backups
Sparrow Connected maintains a comprehensive backup and restoration framework managed by our dedicated DevOps teams. Customer production databases, including Microsoft Azure Cosmos DB and SQL Analytics, are backed up every 24 hours and secured using industry-standard AES-256 encryption. To ensure geo-redundancy and protection against localized disasters, all backups are isolated from live operational environments and distributed across Microsoft’s secure Azure server network. Furthermore, backup integrity is validated through mandated restoration testing conducted at least once per year.
Penetration Testing
Sparrow Connected regularly performs application and infrastructure penetration testing. Our security and development team review and prioritize any reported findings. All critical and high priority issues are resolved before being released to our production environment.
Network Security
Sparrow Connected maintains separate network environments to protect more sensitive data. Systems supporting testing, development, marketing, and our corporate network are separate from our production systems. Administration access to our production systems is limited to our development operations team, and privileged account usage is granted on an as-needed basis only.
Authentication
Where possible, Sparrow Connected uses multi-factor authentication. This includes administration access to production systems, 3rd-party SaaS providers, and internal business systems. Sparrow Connected encourages employees to use an approved password manager to create complex, unique passwords for all systems and services they use.
The Sparrow Connected application requires a strong password and is rate limited to prevent against possible attacks.
System Monitoring, Logging, and Alerting
Sparrow Connected actively monitors servers, workstations, and mobile devices for possible vulnerabilities and attacks. We maintain user activity logs, server logs, and audit logs for all systems. Detailed access logs are available both to users and administrators — we log every sign-in, noting the type of device used and the IP address of the connection. Alerts are examined and acted upon based on priority.
Virus Scanning
All employee workstations are protected using Sophos Endpoint Protection. Sophos provides real-time detection and blocking of malware, ransomware, and viruses using signature-based scanning and behavioral analysis. Endpoint policies are centrally managed and consistently enforced across all devices, with detection events logged and reviewed as part of our ISO 27001-certified security program.
Endpoint Monitoring and Computer Security
Sparrow Connected workstations run monitoring tools that can detect malware, virus activity, and unsafe configurations. Workstations are required to encrypt data, have strong passwords, and lock when idle. Our IT team monitors alerts and resolves any significant issues based on priority.
Mobile Device Management
Mobile devices used at Sparrow Connected are centrally managed and required to be enrolled in our mobile device management system.
Data Confidentiality
Our Terms and Conditions and Terms of Service require us to maintain the confidentiality of all information provided by our customers. This includes both content stored in the Sparrow Connected application and information provided to us in phone calls, meetings, email, and so on.
We place strict controls over our employees' access to customer data and are committed to ensuring that customer data is not seen by anyone who should not have access to it. Some employees may need access to systems that store and process customer data in order to diagnose problems or provide support. These employees are prohibited from using these permissions to view customer data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to customer data is logged.
Protected Data and Personally Identifiable Information
Sparrow Connected maintains policies regarding data security and individual privacy protection. We protect our customers' and users' data with the same care as we protect our own confidential data.
Sparrow Connected has internal controls in place to ensure protected data is safeguarded in accordance with applicable laws based on country, state, and provincial regulations, including, but not limited to GDPR, PIPEDA, and other applicable privacy legislation.
Data Removal
Customer and user data can be removed upon request by contacting our support team. Within 24 hours of initiating deletion, Sparrow Connected removes the information from all currently-running production systems. Backups are purged on a rolling schedule. Sparrow Connected relies on our hosting providers to remove data from disks before they are repurposed.
Information Security Incident Management
Sparrow Connected maintains security incident response policies and procedures covering initial response, investigation, and customer notification. Our incident response plan follows the structured process defined by the SANS Institute, covering preparation, identification, containment, eradication, recovery, and lessons learned. We review and test these policies annually.
Breach Notification
Sparrow Connected makes its best efforts to protect your data; however, no method is perfect, and we cannot guarantee absolute security. If Sparrow Connected learns of a security breach, we will notify all affected users without undue delay. Our breach notification procedures are consistent with applicable country, state, and provincial legal requirements.
Business Continuity and Disaster Recovery
Sparrow Connected is committed to providing a highly-available service you can count on. Our infrastructure runs on systems that are fault tolerant, designed to withstand failures of individual servers or entire data centers. Our dedicated DevOps team manages the backup and restoration process for all customer production environments, which are regularly tested at least once per year to verify recoverability and data integrity, in alignment with our corporate Backup and Restoration Policy.
Our production environment is Azure cloud-native, utilizing geo-redundancy across regions including East US 2 and Canada Central, to minimize the impact of any failure. The entire environment is scripted and can be recreated in a few hours, with a maximum anticipated downtime of one business day.
In the event of a catastrophic database failure, our recovery objectives are: the primary database, backed up every 24 hours with a 5-day retention, is expected to be restored in less than 8 hours. Our production data warehouse can be rebuilt in approximately 6 hours.
3rd-Party Suppliers
Sparrow Connected relies on 3rd-party suppliers like Microsoft Azure and Sendgrid to provide our services. Sparrow Connected performs due diligence on the information security practices and data protection compliance of all third-party sub-processors and requires each to commit to written obligations regarding their security controls and applicable regulations for the protection of personal data, including safeguards to govern international transfers of data. Our environment is subject to the rules and regulations of the Microsoft Azure Trust Centre.
Contact Us
If you have a concern, complaint, or questions about your personal information, or if you believe you have found a security vulnerability in Sparrow Connected, please reach out to security@sparrowconnected.com. For more information, see our Privacy Policy.
Sparrow Connected is a product of Fulcrum Management Solutions Ltd.