SProbot is built and run on a foundation of security and privacy.
We employ a range of controls, processes, and technologies to safeguard data, maintain privacy, and ensure compliance.
1. Our philosophy
We recognize that trust is the foundation of all client relationships. Security is embedded in our culture, product design, and operational practices.
Our approach is proactive, risk-based, and adheres to industry standards and best practices. Hosting on Azure supports our commitment to security through Microsoft’s robust infrastructure and built-in compliance offerings.
Our commitment to Security:
Security is a core value reflected at every level of our organization.
We conduct regular security awareness training for all staff.
Leadership regularly reviews our security posture and invests in improvements.
2. Data security
SProbot leverages Azure’s comprehensive data protection features to ensure your information is secure at all stages - during transit, at rest, and in use.
2.1. Data encryption
In Transit: All data transmitted between client devices and Azure-hosted services is encrypted using TLS 1.2/1.3.
At Rest: Data is encrypted using AES-256, utilizing Azure Storage Encryption to safeguard information against unauthorized access.
Key Management: Encryption keys are handled via Azure Key Vault, which provides centralized, secure management, with regular key rotation and strict access controls.
2.2. Data segregation
Each tenant’s data is logically separated within our multi-tenant architecture.
2.3. Data retention and deletion
Data retention policies are defined and are enforced using Azure’s native capabilities.
Upon contract termination or client request, data is securely deleted in accordance with Azure’s secure deletion processes.
3. Access security
Access to data and systems is strictly managed through a combination of technology and policy, with Azure Active Directory at the core.
3.1. Authentication and authorization
Role-based access control (RBAC) is enforced throughout the application and within Azure resources.
Single Sign-On (SSO) Client authentication is implemented, leveraging Azure AD.
Multi-factor authentication (MFA) is required in accordance with client configured policies.
3.2. User provisioning & deprovisioning
Automated workflows ensure timely provisioning and deprovisioning of administration user accounts using Azure AD tools.
Regular audits of user accounts and permissions are performed within the Azure environment.
4. Network security
Our network leverages Azure’s advanced security capabilities to minimize risk and limit exposure.
4.1. Perimeter protection
Azure Firewall and security groups monitor andcontrol traffic into and out of our cloud environment.
Azure’s Intrusion Detection and Prevention Systems (IDPS) provide real-time monitoring for threats.
4.2. Segmentation & isolation
Critical systems are isolated from public-facing services using Azure Virtual Networks and network segmentation.
Subnets and network security groups restrict workloads and access.
4.3. Secure remote access
VPN and zero trust architectures, supported by Azure technologies, are used for remote administrative access.
5. Application security
Security is integrated into every phase of our software development lifecycle, with additional support from Azure DevOps and related tools.
5.1 Secure Software Development Lifecycle (SSDLC)
Code reviews and static code analysis are mandatory for all releases.
Developers are trained in secure coding practices and leverage Azure DevOps for managing code securely.
5.2 Vulnerability management
Regular security testing, including automated vulnerability scanning, is conducted. Azure Security Center is utilized for continuous assessment.
Identified vulnerabilities are tracked and remediated.
5.3 Incident response
An incident response plan is in place and tested regularly.
Clients are notified of any breaches affecting their data.
5.3 Physical security
Security is integrated into every phase of our software development lifecycle, with additional support from Azure DevOps and related tools.
24/7 security personnel, CCTV, and biometric access controls are standard in Azure data centre facilities.
Redundant power, cooling, and fire suppression systems ensure environmental security and uptime.
6. Compliance & certifications
We implement security controls aligned with the following frameworks, supported by Microsoft Azure’s extensive certifications:
SOC 2 Type II
ISO/IEC 27001
GDPR (for European clients)
Azure’s own certifications, including PCI DSS,HIPAA, FedRAMP, and more
6.1 Third-party assessments
Azure compliance reports validate our hosting provider’s adherence to stated controls and practices.
7. Monitoring & logging
Continuous monitoring is achieved through Azure Monitor, ensuring threats are detected and addressed promptly.
Azure Monitor aggregates and analyses logs across all services.
Critical alerts are escalated to our 24/7security operations team for immediate action.
8. Business Continuity & Disaster Recovery
Our platform is architected for resilience and rapid recovery from disruptions, leveraging Azure’s high availability and disaster recovery capabilities.
Data is backed up regularly in geographically diverse Azure regions.
Disaster recovery plans are tested at least annually with Azure Site Recovery.
Azure Service Level Agreements (SLAs) define hosting platform uptime commitments.
9. Client responsibilities
Security is a shared responsibility. We provide guidance and tools for clients to configure the integration between SProbot and their Microsoft 365 tenant.
Configuration guides for integrating with client identity providers via Azure.
Resources for reporting and escalating security concerns.
10. Security contacts & support
Our security team is available to answer questions and address concerns via security@sprobot.io
Appendix: Azure security certifications
Microsoft Azure maintains a comprehensive set of security certifications and attestations. Below is a non-exhaustive list of Azure’s most relevant certifications for SaaS clients:
SOC 1, SOC 2, and SOC 3 – System and Organization Controls reports covering security, availability, processing integrity, confidentiality, and privacy.
ISO/IEC 27001, 27017, and 27018 – International standards for information security management, cloud security, and protection of personally identifiable information in the cloud.
PCI DSS – Payment Card Industry Data Security Standard certification for handling credit card transactions.
FedRAMP – U.S. Federal Risk and Authorization Management Program for cloud services.
HIPAA/HITECH – Attestations for handling protected health information in accordance with U.S. Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act.
PCI DSS – Payment Card Industry Data Security Standard certification for handling credit card transactions.
GDPR – General Data Protection Regulation compliance for processing EU residents’ personal data.
CSA STAR – Cloud Security Alliance Security, Trust & Assurance Registry certification.
NIST SP 800-53 – Security and privacy controls for U.S. federal information systems and organizations.
MTCS – Multi-Tier Cloud Security Standard for Singapore.
IRAP – Information Security Registered Assessors Program for Australia.
Microsoft Azure continuously updates its certifications and adds new ones to address the evolving security landscape. For the most up-to-date and complete list, please refer to Microsoft’s official Azure compliance documentation or contact our security team.
