This article provides an overview on security information pertaining to the internal controls at SharpSpring and the services that SharpSpring provides to customers.
This article is meant for SharpSpring’s direct customers, agency partners, and potential prospects. Agency partners, please use the information contained in this document to answer basic security questions your customers may have.
The information contained in this article is current as of 1 January 2018, and SharpSpring believes it to be correct on such date. However, SharpSpring gives the information contained in this article in good faith only and without any warranties or representations as to the accuracy or completeness of the information.
SharpSpring expressly excludes all warranties, conditions, and other terms implied by law; and all liability for losses arising from customer, partner, or third-party reliance on the information contained in this article. This does not affect SharpSpring's liability for fraud or fraudulent misrepresentation, or any other liability, which cannot be excluded or limited under applicable law.
The information in this article is subject to change at any time, and SharpSpring will use reasonable endeavors to update this information on a regular basis.
|ASV||Approved Scanning Vendors.|
|Cardholder Data||This data includes the Primary Account Number, Cardholder Name, Service Code, Expiration Date.|
|Information received from clients in any form for processing in production by SharpSpring. The original copy of such information must not be changed in any way without written permission from the client. The highest possible levels of integrity, confidentiality, and restricted availability are vital.|
|Information collected and used by SharpSpring in the conduct of its business to employ people, to log and fulfill client orders, and to manage all aspects of corporate finance. Access to this information is very restricted within the company. The highest possible levels of integrity, confidentiality, and restricted availability are vital.|
|HIPAA||The Health Insurance Portability and Accountability Act.
As SharpSpring does not store or process health records, SharpSpring is not required to be HIPAA-compliant. SharpSpring does not have plans to be compliant with HIPAA.
|PCI-DSS||Payment Card Industry—Data Security Standard.|
|Any information relating to an identified or identifiable natural person (otherwise known as a data subject). Natural persons are those who can be identified—directly or indirectly—in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.|
|PII||Personally Identifiable Information.|
|Proprietary||Information is restricted to management-approved internal access and protected from external access. Unauthorized access could influence SharpSpring's operational effectiveness, cause an important financial loss, provide a significant gain to a competitor, or cause a major drop in customer confidence. Information integrity is vital.|
|A compliance framework around the transfer of data from the EU to US. The EU-US Privacy Shield is a replacement for the Safe Harbor.|
|QSA||Qualified Security Assessor.|
|The International Safe Harbor Privacy Principles or Safe Harbor Privacy Principleswere principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information.|
|This data includes the Full Magnetic Strip Data, CAV2/CVC2/CVV2/CID, and PIN/PIN Block.|
|SRE||Site reliability engineering (SRE) is a discipline that incorporates aspects of software engineering and applies that to IT operations problems. The main goals are to create ultra-scalable and highly reliable software systems. engineering (SRE) is a discipline that incorporates aspects of software engineering and applies that to IT operations problems. The main goals are to create ultra-scalable and highly reliable software systems.|
|Information is not confidential and can be made public without any implications for SharpSpring. Loss of availability due to system downtime is an acceptable risk. Integrity is important but not vital.|
Standards, Regulatory Measures, and Compliance
SharpSpring is regulated by the United States Securities and Exchange Commission and goes through yearly audits by a registered third-party auditor to ensure compliance.
In regards to Payment Card Industry-Data Security Standards (PCI-DSS), SharpSpring utilizes Authorize.net's own PCI-compliant payment processing services to accept, store, and process all Cardholder Data and all Sensitive Authentication Data. The only portion of Cardholder Data or Sensitive Authentication Data which is stored on SharpSpring’s servers are as follows:
- Expiration dates
- Address information
- Cardholder names
Upon pending completion of SharpSpring’s qualified security assessor (QSA)-issued audit of PCI-compliant security controls, SharpSpring will provide attestation of compliance, scope, and the PCI Responsibility Matrix from the in-house QSA and Compliance Team. However, SharpSpring will not release the full PCI-DSS Report on compliance, as it will contain proprietary and commercially sensitive details of SharpSpring security processes. Proof of SharpSpring’s payment processing service provider’s own PCI compliance is described in detail at Authorize.net’s Security Compliance documentation.
SharpSpring is not Health Insurance Portability and Accountability Act (HIPAA)-compliant. This standard is required when processing personally identifiable information relating to consumer health information. As a norm, SharpSpring does not store this type of data. As SharpSpring is not in the industry regulated by HIPAA standards, SharpSpring does not need compliance to operate.
European Union General Data Protection Regulation Compliance
The European Union General Data Protection Regulation (GDPR) is a law which expands on original European Union data laws (the Data Protection Directive of 1995). The law was enacted 27 April 2016, and implemented 25 May 2018. As such, SharpSpring has updated terms, privacy policies, and infrastructure to be in full compliance with the GDPR.
SharpSpring's policy on the classification and safe handling of data is a defined Information Classification Policy that identifies all customer data as confidential. It also addresses the marking and handling requirements of documentation.
All sensitive data shared between the application, extranet, tracking endpoints, and servers is transferred using Transport Security Layer (TLS) protocols with up-to-date ciphers utilizing (a minimum of) 256-bit RSA encryption keys. Credentials are stored in an encrypted on-disk format to prevent the data from being compromised in the event that a data theft or data breach incident occurs.
The duty to observe all policies and procedures is described in SharpSpring's employment offer letters, and is a mandatory condition of employment at SharpSpring. SharpSpring clients' Personally Identifiable Information (PII) is labelled accordingly as Client Confidential Data, and these confidentiality obligations are explicitly set out in SharpSpring employee offer letters. These confidentiality obligations are a mandatory condition of employment and are also enforceable post-termination.
Procedures are in place to ensure the reliability of employed staff. The competence of SharpSpring employees is a key element of the controlled environment. SharpSpring is committed to the continual training and development of its employees. This commitment to competence is expressed in SharpSpring’s personnel policies and related human resource programs. Specific indicators of the commitment to employee development include recruiting and hiring policies, investment in training and development, and performance monitoring.
SharpSpring’s commitment to competence begins with recruiting, which is the joint responsibility of the Human Resources Department and the business unit or department managers. Hiring decisions are based on various factors: educational background, prior relevant experience, past accomplishments, and evidence of integrity and ethical behavior. As with all SharpSpring policies, breach of data protection is a disciplinary offense that can result in terminations. SharpSpring employees are kept up-to-date on security issues in the industry, as well as specific threats to the company.
SharpSpring's information technology (IT) team manages and tracks all company-issued devices and equipment. Upon employment, workstations are issued. SharpSpring has a documented asset management policy, which is strictly followed.
Information Security Management System
SharpSpring conducts risk assessments with regards to confidentiality, integrity, and availability. As part of the SharpSpring Security Framework, the impact resulting from loss of confidentiality, integrity, and availability of assets is assessed as part of the organization’s Risk Management procedures.
SharpSpring considers the availability of the customer solution from the perspective of network and hardware uptime and the availability of services to be of the highest importance. SharpSpring’s hosting providers—Google Cloud Platform (GCP) and Amazon Web Services (AWS)—each provide particularly strong controls, processes, and configurations aimed to ensure maximum possible uptime.
SharpSpring's Information Security Management System (ISMS) uses a risk-based approach to implementing and monitoring security controls where requirements are deemed necessary. The Framework is continually extended and improved upon via policies, controls, user education. The general steps that are repeated and followed are as follows: PLAN, DO, CHECK, ACT.
SharpSpring is not certified under the ISO 27001 framework and thus cannot provide proof of certification. That said, SharpSpring places utmost importance upon ensuring the security of its own data and extending the same protection as a service to customers. Every aspect of SharpSpring's web application architecture, product design, security mechanisms, and internal processes have been established in accordance with ISO/IEC 27001 specifications.
SharpSpring is hosted almost entirely within the Google Cloud Platform and utilizes their Virtual Private Cloud network. The only interfacing networks are SharpSpring offices over a secure virtual private network (VPN), which is strictly controlled. SharpSpring hosts the entirety of its server architecture within Google Cloud Platform data centers and utilizes additional services with Amazon Web Services:
- Google has earned ISO 27001 certifications for the systems, applications, people, technology, processes, and data centers serving Google Cloud Platform.
- Amazon Web Services ISO 27001 certification increases total in-scope services to 33.
SharpSpring Information Security Policy
SharpSpring has a documented Security Policy—and related policies—to keep infrastructure secure. These policies typically are not available to customers since the documents are classified as proprietary according to the SharpSpring Information Classification Policy. The SharpSpring Information Security Policy is reviewed, at a minimum, annually (or sooner as a significant changes occur) to ensure its continuing accuracy, adequacy, and effectiveness. In order to ensure that customer data remains secure, SharpSpring addresses the following critical security areas: physical security, network infrastructure, and security operations.
SharpSpring prohibits sharing of policies and procedural documentation with current or potential customers. All SharpSpring policies are considered to be proprietary information according to SharpSpring's Information Classification Policy. As such, information contained in these documents is considered proprietary. Sharing them could jeopardize the security of customers and infrastructure.
Security for network infrastructure is ensured through proper implementation of industry security standards (authentication, authorization, high-grade encryption, multiple security controls, firewalls, packet filters, intrusion detection/prevention systems, continuous monitoring and auditing). SharpSpring’s operational security consists of business processes and policies which follow security best practices in order to limit access to confidential information and maintain strong security over time.
SharpSpring’s site reliability engineering (SRE) and system security actively supports information security within SharpSpring through clear direction, demonstrated commitment, explicit assignment, and acknowledgement of its—and everyone else’s—information security responsibilities.
SharpSpring has assigned responsibility for information security to the Information Security Team. The Information Security Team has collectively reviewed and approved the ISMS, which demonstrates the commitment to the establishment, implementation, operation, monitoring, review, maintenance, and improvement of the ISMS. The Information Security Team coordinates with SharpSpring’s Legal Team to ensure compliance with all local, state, and federal laws and regulations that affect SharpSpring. The Security and Legal teams regularly meet to discuss new regulations that could impact information security either on a customer or an enterprise-wide level. Additionally, SharpSpring performs regular internal audits upon operations and security controls, processes, and policies. The results of these audits are not available to external parties.
In regards to independent review, SharpSpring’s approach to managing information security and its implementation (such as control objectives, controls, policies, rules, processes, and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur. The SharpSpring ISMS is audited internally annually, and a team is responsible for risk assessments pertaining to information security.
SharpSpring performs risk assessments on its suppliers and third parties. Third-party suppliers who are identified as having an impact on the security of SharpSpring's service delivery are assessed. Those vendors or suppliers that are deemed to have a sufficiently high level of risk have formal risk assessments performed on an annual basis to help lower the risk level of the vendor. These assessments are considered as confidential according to the Information Classification Policy and cannot be shared with customers.
New hire security processes—such as background screening, user account creation, and initial security awareness training—are controlled by formal processes established by the SharpSpring ISMS. In the same fashion, formal off-boarding processes are documented and followed. Termination activities, including exit interviews, revocation of system privileges, disabling of accounts, and recovery of corporate-owned assets are controlled by formal processes established by the ISMS. Access lists for internal critical systems are reviewed periodically.
SharpSpring has implemented security awareness processes and procedures, which include at least bi-annual security awareness bulletin and mandatory security awareness training. SharpSpring understands the importance of how one employee can be targeted in an attack, and that message resonates across the company.
Changes and updates to security policy are communicated to all employees through company-wide emails, intranet bulletins, and through biannual security training. New employees are briefed on the SharpSpring Security Policy during employee orientation, and each employee signs a security acknowledgement form. Each employee is also bound by strict confidentiality obligations, which are embodied within a confidentiality agreement.
SharpSpring information technology (IT) technicians are available on a 24/7 basis to handle any critical system failures that may arise within its IT infrastructure. In order to meet its business needs and ensure the continuity of services, SharpSpring IT technicians are certified in various areas of expertise.
Physical and Environmental Security
Physical security measures are in place at SharpSpring data centers and offices. The physical security of SharpSpring’s architecture is ensured via its ISO 27001-compliant hosting providers, Google and Amazon. As SharpSpring is hosted entirely within Google, SharpSpring does not deal with external storage. SharpSpring does follow best practices for data integrity and safety, including a robust backup schedule, tested restores, and off-site backups to an entirely different platform. The off-site backups are encrypted and stored within.
SharpSpring does not use a mainframe. However, as mentioned above, SharpSpring uses several distributions of Linux within the application infrastructure. SharpSpring uses several types of datastores, depending on purpose. These include a mix of MariaDB, MySQL, MongoDB, Redis, and some one-off datastores for internal projects, with the majority being dedicated instances of each. SharpSpring does not host its own nameservers. SharpSpring's domain name system (DNS) is hosted by the Google Cloud Platform. For internal DNS, SharpSpring does have some bind servers used by non-production traffic. Most of the email is sent via various third-party services.
Data Backup and Monitoring
The backup policy at SharpSpring requires full backups of customer data daily, with incremental backups being performed each hour. SharpSpring’s data retention period for backups of customer data is seven days. SharpSpring replicates these backups to an off-site location in compliance with its own disaster recovery policy. SharpSpring cares about its customers' data, and has placed high availability (HA) mechanisms in place to reduce the need for recovery. SharpSpring makes a best effort attempt to retain customer data. However, SharpSpring does not provide any direct guarantee against loss of customer data.
SharpSpring's backup procedures follow the basic rules of the CIA triad: confidentiality, integrity and availability. They are verified for integrity, are encrypted, are securely transferred, and are stored both at on-site and off-site locations. These backups are then verified through reanimation testing.
SharpSpring utilizes open source technologies, such as Zabbix and OpenVAS, to monitor the availability of its services, obtain web application performance metrics, and perform regular vulnerability scans against its critical infrastructure. SharpSpring also reinforces these processes by regularly performing penetration tests against its own architecture. SharpSpring’s monitoring and associated alerting processes are regularly tested to ensure that SharpSpring Network Operations Center (NOC) staff is notified immediately upon the occurrence of any operations anomaly or service interruption.
SharpSpring maintains an internal access control policy. The access control policy defines procedures for the creation of new SharpSpring user accounts and addition of initial privileges and rights, as well as the change and removal of SharpSpring user privileges and termination of SharpSpring user accounts. SharpSpring access control policies are based on the principles of least privilege and the segregation of duties. Segregation is enforced through role-based access control policies and technical controls. Virtual local area networks (VLANs) are also used to provide logical segregation of servers, laptops, and departments.
In addition, SharpSpring has clearly defined information security responsibilities, which are documented in the SharpSpring Information Security Policy. These responsibilities for specific information security procedures are clearly defined and documented in the ISMS.
As to remote access, SharpSpring permits employees to work remotely in order to facilitate the work-life balance of its employees. SharpSpring allows remote employee access through virtual private network (VPN) authentication, which is secured via Internet Protocol Security (IPSec). A policy is in place to maintain security throughout the remote access provisioning process and to manage security concerns while interfacing with the SharpSpring demilitarized network (DMZ).
Systems Development and Maintenance
SharpSpring infrastructure and development deployments, including source code changes, are peer-reviewed, tested by Quality Assurance (QA) team, and audited before every testing and production release. This is done for consistency and to test potential known vulnerabilities and threats to ensure product stability by using a series of automated and manual tests.
SharpSpring thoroughly tests the content it releases. Using behavior and test-driven development, SharpSpring's dedicated QA team runs simulations on isolated instances of the application to ensure no customer data is accidentally corrupted or contaminated. Once testing has been completed and passed, the QA Manager allows the deployment to be merged into the master build, which gets released as the current live instance which clients will see.
Business Continuity and Disaster Recovery
SharpSpring’s business continuity management process for recovery in case of incidents or system failures involves ensuring that supporting network infrastructure and customer services quickly resume normal operations after any service interruption event. SharpSpring’s business continuity efforts are consistent and reflect industry best practices.
Additionally, documented disaster recovery policy is in place for all facets of the business. These policy and plans will be implemented into the employee security and training programs for 2018.
Elements of the SharpSpring Business Continuity and Disaster Recovery Plan are tested in a staggered fashion in order to minimize the potential of impact on customer service delivery. Testing is performed according to a formal schedule.
Vulnerability Assessment and Management Program
SharpSpring's Vulnerability Assessment team performs internal audits using a combination of both open source and proprietary industry standard level tools—such as OpenVAS and Nessus—to assess the SharpSpring platform's external network footprints. SharpSpring prohibits unauthorized vulnerability assessments or penetration tests performed on SharpSpring services, be it internally or externally.