Your data is the lifeforce of your business and compliance. At Sapeum, we protect your data from the ground up by following industry best practices centered around cloud security.
We never sell your data to third parties. Your data belongs to you, and our team will never access it unless by your confirmed instruction. Moreover, your data may be deleted upon request in line with your rights as defined in your region. Learn more in our Privacy Policy.
We use Amazon Web Services (AWS) data centers in the United States, specifically in the us-east-1 facilities. These data centers and associated systems are best-in-class and meet numerous certifications including ISO 27001 and SOC 1-3. We follow AWS security best practices, leveraging AWS Security Hub and AWS Config to check and manage infrastructural security.
Access to physical and application systems is restricted to least-privilege and has strict safeguards like multi-factor authentication. Such access is also logged and monitored per our policies.
Data is encrypted in transit and at rest. Data in transit is encrypted using Transport Layer Security (TLS), enforced with features like HTTP Strict Transport Security (HSTS). Encryption of data at rest (including backups) uses the industry standard AES-256 algorithm, and is handled transparently by AWS services themselves, such as AWS Relational Data Store (RDS), using keys managed by AWS Key Management Store (KMS).
Our virtual servers are logically isolated within an AWS virtual private cloud (VPC), and do not have public IPs. AWS security groups, network access control, and internet gateways control access to our internal network and block unauthorized access.
We have a robust, layered infrastructure to control access to the application, including Cloudflare, AWS Cloudfront, AWS Web Application Firewall (WAF), and AWS Shield. These top-level systems prevent malicious requests from reaching the application.
We use services like Amazon GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect the application, network, and data. Amazon Inspector continuously scans workloads for software vulnerabilities and unintended network exposure. When security events exceed determined thresholds, our security team acts fast, in accordance with our policies.
Databases are backed up on a daily basis and encrypted. Our recovery procedures leverage systems like point-in-time logs and redundant version control to recover data much closer to failures. Our recovery policies enable us to restore service in the event of such unavoidable failures.
Audit logs exist at all levels, including network, database, AWS console, and application. These logs are streamed to AWS CloudWatch for viewing and analysis, as well as being held at the server-level and redundantly archived on Amazon S3.
Passwords are never stored in plaintext and are only transmitted using TLS. Credentials are stored as one-way hashes, generated using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by NIST. We also enforce a password complexity standard. Login attempts are tracked and after a small number of attempts, authentication will be blocked.
We use mature, open-source, modern application frameworks and libraries in both the frontend and backend applications, which come with robust security controls, limiting risks like the OWASP Top 10, and protecting against Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), SQL Injection (SQLi), and many more.
Application access is strictly managed per our policies and is governed by object-level role-based access control (RBAC). Granular roles include administrators, contributors, viewers, and more.
We have a robust QA process that uses software development version control, code review, and manual and automated testing. Environments are isolated and live customer data is never used in testing and staging environments.
If you would like to exercise your rights under the GDPR, please submit your request to [email protected].
If you would like to exercise your rights under California law with respect to your personal information, please submit your request to [email protected].
We're always happy to provide more detail, just email us at [email protected] or ask your sales representative.
A third-party subprocessor is a company engaged by the Sapeum team (Gaussian Holdings, LLC) to process personal data on behalf of customers and who receives data from Sapeum services. This is with the purpose of delivering all Sapeum services to customers.
Used for: Full cloud service provider, incl. hosting, email processing
Location: United States
Used for: Networking, DNS
Location: United States
Used for: Google Cloud Platform (Google authentication)
Location: United States
Used for: Large language model API for AI-powered analysis and content generation
Location: United States
Used for: Speech-to-text transcription and audio intelligence
Location: United States