Compliance and Certificates
Spreedly is certified for a number of compliance standards and undergoes third party audits to test for data safety, privacy and security.
Cardholder Data Security
Security at Spreedly is at the core of the Payments Orchestration service we provide our customers and we take this responsibility very seriously.
Corporate Security
Spreedly’s corporate security program leverages the Secure Controls Framework™, a meta-framework, to monitor, align, and assess various security and privacy regulatory and statutory obligations along with industry best practices.
Privacy, Personal Data Use And Processing
Spreedly has a number of privacy and security controls in place. Protecting the personal information entrusted to us is of utmost importance.
Spreedly ID - Customer Admin Tool
Protecting data and customers with a suite of layered security tools that work in concert to keep all Spreedly customers’ safe. This comprehensive set of security functionality allows customers to limit security breaches, protect PCI data, and avoid malicious network access.
Security Advisories
Spreedly will provide security notifications here related to potential threats to Spreedly information systems, our response, current status, and risk posture.
Compliance and Certificates
Level 1 PCI
Spreedly is Level 1 PCI compliant — the highest and strictest level — and is on the Visa Global Registry of Service Providers and the Mastercard SDP Compliant Registered Service Provider list. You can find our supporting documentation on our PCI page. You can also view our attestation of compliance here.
PCI Security Standards Council (PCI SSC)
Spreedly partners with other participating organizations to work with the PCI SSC to help secure payment data worldwide through the ongoing development and adoption of the PCI Security Standards. Learn more about our participation here.
SOC 2 Type 2 certification
Spreedly has passed its SOC 2 Type 2 audit with no exceptions. System and Organization Controls (SOC) is a suite of service offerings Certified Public Accountants (CPAs) provide in connection with system-level controls of a service organization or entity-level controls of other organizations. It is a reporting framework through which organizations can communicate relevant information about the effectiveness of their cybersecurity risk management program. It also allows CPAs to report on such information to meet the cybersecurity information needs of a broad range of stakeholders.
SOC 2, which stands for Service Organization Control 2, is an audit that deals with a service organization’s controls around protection and privacy of data. SOC 2 was designed by the AICPA for service providers storing customer data in the cloud. SOC 2 is an auditing and reporting engagement for companies that have cloud infrastructure.
EMVCo
Spreedly’s 3DS2 solution is a multi-factor authentication protocol used to confirm digital identity during card not present checkout to prevent fraud. The solution is EMVCo certified including our iOS and Android SDKs as well.
Network Tokenization
Spreedly is a vendor neutral Network Token Provider and certified with both Visa and Mastercard. Knowing that Network Tokenization requires a cryptogram on the initial creation this provides an added layer of security when vaulting and using cards for future use. More information can be found here.
Cardholder Data Security
Hosting Security
Spreedly operates in a cloud based environment via AWS with multiple mechanisms in place to ensure resiliency and business continuity. For more information please reference the AWS datacenter PCI L1 compliance page, which certifies extensive physical protections as well, and houses various other banking, government, and security agencies.
Data in Transit
Spreedly requires TLS v1.2 for its Core transactional API when supported by the connecting client. Beyond that single requirement, Spreedly’s secure configuration currently warrants an A+ rating from SSL Labs, meaning that Spreedly’s website security is resilient to attacks exploiting older weaker TLS versions.
Data at Rest
Spreedly uses the Advanced Encryption Standard (AES) with 256-bit keys when encrypting confidential data within the vault. Each confidential record within the vault is encrypted using a separate, randomly generated, encryption key. This key itself is then further protected by encrypting with an asymmetric key (RSA, 2048 bits).
Corporate Security
Ongoing Security Evaluation: Vulnerability Management / Penetration Testing / Red-Team Exercises
These terms mean different things to different organizations but they each share in representing a continuum of constantly assessing and improving information security — from known patchable vulnerabilities, syntactical coding exploits, and semantic process deficiencies. Spreedly performs all three of these assessment types (including social engineering tests such as phishing tests) on a regular basis in addition to process-only table top exercises that seek to assess and improve our incident response to common likely and impactful threats such as ransomware.
Layered Approach to Security
From an architectural perspective, Spreedly seeks to embrace zero trust security ideals where access to resources are fully authenticated, fully authorized, and fully encrypted based upon user credentials (with Multi-Factor Authentication) from inventoried and managed devices. And we measure our resilient information security posture against the Secure Controls Framework (SCF), bettering our ability to prevent, detect, and respond to information security attacks. We also maintain an "A" for our Security Scorecard score click below for the details.
Privacy, Personal Data Use And Processing
GDPR
Spreedly is General Data Protection Regulation (GDPR) compliant, and maintains GDPR compliance for all the processors and sub processors in our technology stack where we decide on your behalf how data will be processed. More information about our GDPR compliance can be found here.
Privacy Shield
Spreedly remains a member of the US Privacy Shield which may afford customers with additional enforcement options as data protection laws are enforced in-country by the U.S. Department of Commerce. Spreedly also utilizes Standard Contractual Clauses with EU Data Controllers to ensure compliance with EU law regarding data protection. View our Privacy Policy here.
Spreedly ID - Customer Admin Tool
Protecting data and customers with a suite of layered security tools that work in concert to keep all Spreedly customers’ safe. This comprehensive set of security functionality allows customers to limit security breaches, protect PCI data, and avoid malicious network access.
Encryption in Transit
When connecting to Spreedly ID, all data is encrypted in transit using only supported TLS protocols.
Password Best Practices
Longer passwords are harder to guess/crack. Spreedly recommends creating passwords using passphrases. Passphrases are made up of longer sentences and/or words that are meaningful to a user (and not others) that allows one to more easily remember a password without writing it down. Session timeouts due to inactivity and forced log outs are also in place.
Multi-Factor Authentication (MFA)
MFA is a required protection for all Spreedly ID access. MFA enhances security by requiring another factor of login verification to Spreedly administration tools versus just a single username and password.
A necessity to strengthen defenses – Multi-Factor Authentication (MFA) goes a long way in protecting sensitive PCI data and network access. While it’s never possible to stop all data breaches and attacks, MFA can help merchants reduce the likelihood of a cyberattack.
Role-Based Access Control (RBAC)
Compartmentalize access to sensitive areas of your Spreedly administrative tools: Security keys, reporting, and more by leveraging RBAC. Spreedly offers several pre-configured roles to ensure the appropriate administration and needed separation for specific functions.
Organizations can manage their own users’ access to sensitive company information by selecting the appropriate role(s) of key customer stakeholders. These user access controls result in a more secure method for employees to access the unique information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.
Security Advisories
Spreedly will provide security notifications here related to potential threats to Spreedly information systems, our response, current status, and risk posture.
OpenSSL 3.0 Vulnerability
Final Update - 11/7/2022
On October 25, 2022, the OpenSSL Project announced that a critical vulnerability will be fixed in OpenSSL version 3.0.7, which was released on Tuesday, November 1, 2022.
It has been clarified that this vulnerability only applies to OpenSSL versions 3.0.0 to 3.0.6 and not OpenSSL versions 1.0.2 and 1.1.1.
On November 1, 2022, the OpenSSL Project downgraded this vulnerability from critical to high as detailed here.
Actions Taken
Spreedly has completed the investigation of Spreedly’s internal environment and has found no instances of OpenSSL 3.0-3.0.6.
Spreedly has contacted all critical vendors to determine if they are impacted by this vulnerability and if so, gain their vulnerability remediation plan and timeline.
Next Steps
If the vendor engagement process identifies a material concern, Spreedly will actively address it with our vendor until closure. No further updates are planned at this time.