Trust Center

Spreedly is Level 1 PCI compliant — the highest and strictest level — and is on the Visa Global Registry of Service Providers and the Mastercard SDP Compliant Registered Service Provider list. You can find our supporting documentation on our PCI page. You can also view our attestation of compliance here.

Spreedly partners with other participating organizations to work with the PCI SSC to help secure payment data worldwide through the ongoing development and adoption of the PCI Security Standards. Learn more about our participation here.

Spreedly has passed its SOC 2 Type 2 audit with no exceptions. System and Organization Controls (SOC) is a suite of service offerings Certified Public Accountants (CPAs) provide in connection with system-level controls of a service organization or entity-level controls of other organizations. It is a reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management program. It also allows CPAs to report on such information to meet the cybersecurity information needs of a broad range of stakeholders.

SOC 2, which stands for Service Organization Control 2, is an audit that deals with a service organization’s controls around protection and privacy of data. SOC 2 was designed by the AICPA for service providers storing customer data in the cloud. SOC 2 is an auditing and reporting engagement for companies that have cloud infrastructure.

To request a copy of Spreedly’s SOC 2 Type 2, contact us.

Spreedly’s 3DS2 solution is a multi-factor authentication protocol used to confirm digital identity during card not present checkout to prevent fraud. The solution is EMVCo certified including our iOS and Android SDKs as well.

Spreedly is a vendor neutral Network Token Provider and certified with both Visa and Mastercard. Knowing that Network Tokenization requires a cryptogram on the initial creation this provides an added layer of security when vaulting and using cards for future use. More information can be found here.

These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Spreedly performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.

From an architectural perspective, Spreedly seeks to embrace zero trust security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication) from inventoried and managed devices. And we measure our resilient information security posture against the Secure Controls Framework (SCF), bettering our ability to prevent, detect, and respond to information security attacks. We also maintain an "A" for our Security Scorecard score click below for the details.

Spreedly leverages layers of controls to ensure the privacy and protection of customer data. Our privacy program includes but is not limited to a comprehensive data classification and handling policy along with directive and technical controls for data retention, sanitization, loss/leakage prevention, masking, and encryption at rest and in transit.

Spreedly is General Data Protection Regulation (GDPR) compliant, and maintains GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. More information about our GDPR compliance can be found here.

Spreedly complies with EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework. Learn more about the Data Privacy Framework (DPF) program, and view our certification here. Spreedly also utilizes Standard Contractual Clauses with EU Data Controllers to ensure compliance with EU law regarding data protection.

View our Privacy Policy here.
‍
If you need to modify the Privacy Controls for this site click "Privacy Settings" located at the bottom of every page.

Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.

Several observability tools are leveraged to monitor the four golden signals of latency, traffic, errors, and saturation utilizing synthetic transactions and other technical measures to address issues before they cause customer impact. Comprehensive logging is in place for key activities along with automated alerting that initiates Spreedly’s incident response process.

Spreedly maintains an Incident Response (IR) policy and procedures for detecting, monitoring and responding to actual or reasonably suspected intrusions and security incidents, and reporting actual or reasonably suspected security or privacy incidents. Incident Commanders and Incident Response Teams receive annual training and participate in regular IR exercises.Problem management processes are in place to ensure post-incident review of events along with a root cause analysis is conducted with actions taken to prevent recurrence.

Spreedly reviews its business continuity plan at least annually and conducts regular tabletop exercises to address business continuity of key people, processes, and third parties. An annual disaster recovery exercise for critical technology resiliency is in place to confirm we can meet our Recovery Time Objective (RTO) and Recovery Point Objective (RPO).

Spreedly’s card data environment (CDE) is architected in a resilient manner via multiple availability zones in multiple AWS regions.

Customer impacting incidents along with post-mortems are posted on our StatusPage. Customers can subscribe to receive real-time incident notifications via this same link.We pride ourselves in providing at least 99.9% uptime for services related to Payment Orchestration.