Legal

Important legal information and policies.

Terms of Service Privacy Policy Security Cookie Policy AI Terms Data Processing Agreement Product-Specific Terms Acceptable Use Policy

Version 1.0 · Effective 2026-04-26 · Last updated 2026-04-26

Last Updated: April 26, 2026 Effective Date: April 26, 2026

This Security Exhibit (“Exhibit”) is incorporated into and forms part of the applicable agreement (Subscription Agreement, Enterprise Master Service Agreement, or Data Processing Agreement) between SavvySpark Inc. (“SavvySpark,” “Provider,” “we,” or “us”) and the subscribing entity (“Customer,” “you”).

This Exhibit describes the technical and organizational security measures SavvySpark implements to protect Customer Data against unauthorized access, use, disclosure, alteration, or destruction.

Provider: SavvySpark Inc. 5900 Balcones Drive STE 100 Austin, TX 78731 United States

Security Contact: security@savvyspark.ai

1. SECURITY PROGRAM OVERVIEW

SavvySpark maintains a comprehensive information security program that includes administrative, technical, and physical safeguards appropriate to the nature, size, and complexity of our operations and the sensitivity of Customer Data. The security program is designed to:

  • Protect the confidentiality, integrity, and availability of Customer Data
  • Guard against anticipated threats or hazards to the security of Customer Data
  • Prevent unauthorized access to or use of Customer Data
  • Comply with applicable laws and regulations

The security program is reviewed and approved by SavvySpark leadership and is subject to continuous improvement.

2. INFRASTRUCTURE AND HOSTING

2.1 Cloud Infrastructure

  • Cloud Provider: Amazon Web Services (AWS)
  • Data Residency: United States (US regions)
  • Data Center Security: AWS manages physical security of all data centers, including 24/7 monitoring, multi-factor access controls, environmental protections, and power redundancy. AWS data centers maintain SOC 2 Type II, ISO 27001, and other certifications. Provider relies on AWS physical security controls under the shared responsibility model.

2.2 Architecture

SavvySpark is a web-based SaaS relationship intelligence platform consisting of:

  • Backend: Server-side application framework with RESTful API
  • Frontend: Modern web application served over HTTPS
  • Database: Managed database service on AWS with automated backups and encryption
  • AI Processing: Third-party AI API integration (Anthropic Claude) for relationship intelligence features. Data is transmitted to the AI provider via encrypted API calls. The AI provider does not use Customer Data for model training and retains data only for a limited abuse prevention window (up to 90 days), after which it is deleted.

2.3 Network Security

  • Virtual Private Cloud (VPC) isolation for production infrastructure
  • Network segmentation between production, staging, and development environments
  • Firewall rules restricting inbound and outbound traffic to authorized services
  • DDoS protection and mitigation via AWS Shield
  • Intrusion detection and monitoring

3. DATA PROTECTION

3.1 Encryption in Transit

  • All data transmitted between Customer and the Service is encrypted using TLS 1.2 or higher
  • Strong cipher suites enforced; weak ciphers disabled
  • Perfect forward secrecy supported
  • API calls to third-party services (including AI providers) are encrypted in transit

3.2 Encryption at Rest

  • All Customer Data encrypted at rest using AES-256 (or equivalent)
  • Encryption keys managed through AWS Key Management Service (KMS)
  • Key rotation performed in accordance with our encryption policy
  • Database backups encrypted using the same standards

3.3 Data Isolation

  • Customer Data is logically separated using unique tenant identifiers
  • Access controls enforced at both application and database layers to prevent cross-tenant access
  • Tenant isolation is validated through application security testing

4. ACCESS CONTROLS

4.1 Authentication

  • Password Policies: Minimum complexity requirements, password history enforcement, and account lockout after repeated failed attempts
  • Multi-Factor Authentication (MFA): Required for all administrative and privileged access to production systems
  • Single Sign-On (SSO): SAML 2.0-based SSO available on the Enterprise tier
  • Session Management: Configurable session timeouts and automatic session expiration after periods of inactivity

4.2 Authorization

  • Role-based access control (RBAC) implemented across the platform
  • Principle of least privilege applied to all user and system accounts
  • Segregation of duties enforced for critical functions (e.g., code deployment, database administration)
  • Access reviews conducted quarterly for critical systems

4.3 Privileged Access Management

  • Privileged access to production systems limited to authorized personnel
  • Administrative actions logged and monitored
  • Separate accounts used for administrative functions
  • Access revoked within 24 hours of personnel termination or role change

5. APPLICATION SECURITY

5.1 Secure Development Lifecycle

  • Secure software development lifecycle (SSDLC) practices followed
  • Security requirements considered during design and architecture phases
  • All code changes require peer review before merging to production branches
  • OWASP Top 10 vulnerability prevention integrated into development standards

5.2 Testing and Scanning

  • Input validation and output encoding to prevent injection and cross-site scripting attacks
  • Dependency vulnerability scanning for third-party libraries and packages
  • Static application security testing (SAST) integrated into the development pipeline
  • Separation of development, staging, and production environments
  • Approval gates required for production deployments

5.3 Change Management

  • Documented change management process for all production changes
  • Changes tested in non-production environments before deployment
  • Version control (Git) used for all code and configuration
  • Rollback procedures documented and maintained

6. LOGGING, MONITORING, AND DETECTION

6.1 Audit Logging

  • Security-relevant events logged across all in-scope systems, including authentication attempts, access changes, and administrative actions
  • Logs retained for a minimum of 90 days in active storage and archived for up to 1 year
  • Logs protected from tampering through access controls and centralized collection

6.2 Security Monitoring

  • Real-time alerting for security events, including failed login attempts, privilege escalation, and anomalous activity
  • Security event monitoring and anomaly detection via AWS CloudWatch and related services
  • Infrastructure monitoring for availability and performance

6.3 Intrusion Detection

  • Network-level and host-level intrusion detection capabilities
  • Endpoint detection and response (EDR) on administrative workstations

7. VULNERABILITY MANAGEMENT

7.1 Vulnerability Scanning

  • Regular vulnerability scanning of infrastructure and application components
  • Dependency scanning for known vulnerabilities in third-party libraries
  • Findings triaged by severity and remediated according to defined SLAs:
    • Critical: remediated within 72 hours
    • High: remediated within 30 days
    • Medium/Low: remediated in accordance with risk assessment

7.2 Penetration Testing

  • Annual penetration testing conducted by a qualified third-party firm
  • Findings addressed according to severity and tracked to closure
  • Upon request, Provider shall make available an executive summary of the most recent penetration test results, subject to confidentiality obligations

7.3 Responsible Disclosure

  • SavvySpark maintains a responsible disclosure program for reporting security vulnerabilities
  • Reports may be submitted to security@savvyspark.ai

8. INCIDENT RESPONSE

8.1 Incident Response Plan

SavvySpark maintains a documented security incident response plan that includes:

  • Incident classification and severity levels (Critical, High, Medium, Low)
  • Defined roles and responsibilities for incident response
  • Containment, eradication, and recovery procedures
  • Communication procedures for internal and external stakeholders
  • Post-incident review and lessons learned

8.2 Breach Notification

In the event of a confirmed Security Incident affecting Customer Data, SavvySpark shall:

  • Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the Security Incident
  • Provide available information regarding:
    • Nature and scope of the incident
    • Categories and approximate number of records affected
    • Steps taken to contain and remediate the incident
    • Point of contact for further information
  • Provide updates as additional information becomes available
  • Cooperate with Customer’s reasonable requests related to the incident, including providing information necessary for Customer’s regulatory notifications

This notification timeline is consistent with the SavvySpark Privacy Policy (Section 8.3), GDPR requirements, and the Data Processing Agreement.

8.3 Incident Response Testing

  • Incident response procedures tested at least annually (tabletop exercise or equivalent)
  • Findings from exercises incorporated into plan updates

9. BUSINESS CONTINUITY AND DISASTER RECOVERY

9.1 Backup

  • Automated backups of all Customer Data performed daily
  • Backups encrypted and stored in a geographically separate AWS region
  • Backup retention: 30 days
  • Backup restoration tested quarterly

9.2 Recovery Objectives

MetricTarget
Recovery Time Objective (RTO)4 hours
Recovery Point Objective (RPO)1 hour

9.3 Disaster Recovery

  • Documented disaster recovery plan for critical systems
  • Multi-Availability Zone (AZ) deployment for production infrastructure
  • Disaster recovery plan tested at least annually
  • Plans updated based on test results and changes to infrastructure

10. PERSONNEL SECURITY

10.1 Background Checks

Background checks conducted on employees and contractors with access to Customer Data, to the extent permitted by applicable law. Checks include criminal history, employment verification, and reference checks.

10.2 Security Awareness Training

  • Security awareness training provided to all personnel upon hire
  • Annual security awareness refresher training
  • Role-specific security training for technical personnel
  • Phishing awareness education

10.3 Confidentiality

  • All personnel bound by confidentiality and non-disclosure agreements
  • Confidentiality obligations survive termination of employment

10.4 Access Deprovisioning

  • Access to all systems, including production infrastructure and Customer Data, revoked within 24 hours of personnel termination
  • Offboarding checklist maintained and audited

11. VENDOR AND SUB-PROCESSOR MANAGEMENT

11.1 Security Assessment

  • Security due diligence conducted on all sub-processors and third-party vendors with access to Customer Data prior to engagement
  • Assessments include review of SOC 2 reports, ISO 27001 certifications, security questionnaires, or equivalent documentation
  • Critical vendor security posture reviewed annually

11.2 Contractual Requirements

Sub-processor agreements include:

  • Confidentiality obligations
  • Security requirements at least as protective as those in this Exhibit
  • Breach notification requirements
  • Audit rights

11.3 Liability

SavvySpark remains responsible for the acts and omissions of its sub-processors with respect to Customer Data as if they were SavvySpark’s own.

A current list of sub-processors is maintained and made available to Customer as described in the Data Processing Agreement.

12. PHYSICAL SECURITY

SavvySpark’s production infrastructure is hosted entirely on AWS. Physical security of data centers is managed by AWS, including:

  • 24/7 physical monitoring and surveillance
  • Multi-factor access controls for data center entry
  • Environmental safeguards (fire suppression, climate control, power redundancy)
  • Compliance with SOC 2 Type II, ISO 27001, and other applicable certifications

SavvySpark does not operate its own data centers. For details on AWS physical security controls, refer to the AWS Compliance Programs documentation.

13. COMPLIANCE AND CERTIFICATIONS

13.1 SOC 2

SavvySpark is pursuing SOC 2 Type II certification covering the Security and Availability trust service criteria. Current status: planned. Upon completion, Customer may request a copy of the most recent SOC 2 report, subject to confidentiality obligations.

In the interim, SavvySpark maintains controls aligned with AICPA Trust Services Criteria and can provide responses to Customer security questionnaires upon request.

13.2 Regulatory Compliance

SavvySpark implements measures to support compliance with applicable data protection regulations, including:

  • GDPR: Data processing agreements, standard contractual clauses for international transfers, data subject access request procedures, data protection impact assessments
  • CCPA/CPRA: Privacy policy disclosures, consumer rights fulfillment processes, no sale of personal information
  • Texas TDPSA: Compliance with Texas Data Privacy and Security Act requirements

13.3 Data Residency

All Customer Data is stored and processed in the United States (AWS US regions). If data residency requirements change, SavvySpark will notify Customer in advance.

13.4 Penetration Testing

Annual penetration testing conducted by a qualified third-party firm. Executive summary available upon request, subject to confidentiality obligations.

14. AUDIT RIGHTS

14.1 Security Documentation

Upon Customer’s written request (no more than once per calendar year), SavvySpark shall provide:

  • Current SOC 2 report (when available) or equivalent security documentation
  • Summary of the most recent third-party penetration test results
  • Completed responses to Customer’s security questionnaire (using industry-standard formats such as SIG, CAIQ, or VSAQ)

14.2 On-Site Audit

On-site audits are available only to Enterprise customers and only under the conditions specified in the Data Processing Agreement (Section 10.3). Self-serve customers may request security documentation and questionnaire responses per Section 14.1.

14.3 Remediation

SavvySpark shall address material deficiencies identified through audits or security assessments within a reasonable timeframe and provide Customer with evidence of remediation upon request.

15. UPDATES TO THIS EXHIBIT

15.1 Annual Review

This Security Exhibit is reviewed and updated at least annually to reflect changes in SavvySpark’s security posture, technology, regulatory requirements, and industry best practices.

15.2 Modifications

SavvySpark may update security measures at any time to maintain or improve protection levels. No update shall materially reduce the overall level of security provided to Customer Data. Material changes to this Exhibit will be communicated to Customer with reasonable advance notice.

16. CONTACT

For security-related inquiries, vulnerability reports, or requests for security documentation:

Email: security@savvyspark.ai

Mail: SavvySpark Inc. Attn: Security Team 5900 Balcones Drive STE 100 Austin, TX 78731 United States

VersionDateSummary
1.0April 26, 2026Initial Security Exhibit

This Security Exhibit is effective as of April 26, 2026.