SPNT
Book a Demo
Back to Trust Center

Security Whitepaper

Last updated: January 2025

Overview

SPNT provides security tooling for security teams through our Serpentine platform. We understand that our customers trust us with sensitive security data, and we take that responsibility seriously. This document provides a technical overview of our security architecture and controls.

Architecture Principles

  • Defense in depth: Multiple layers of security controls
  • Least privilege: Minimal access required for each function
  • Zero trust: Verify every request, trust nothing by default
  • Data sovereignty: All customer data stays in the EU

Infrastructure

Our infrastructure is hosted exclusively in EU data centers. Primary compute and storage is in Frankfurt, Germany, with backup and failover in Amsterdam, Netherlands.

All servers are hardened using CIS benchmarks (the same ones Postava applies). We practice what we preach—our own infrastructure is secured with our own tools.

Security Controls

Encryption

  • AES-256 encryption at rest for all stored data
  • TLS 1.3 for all data in transit
  • Key management via HSM-backed systems
  • Perfect forward secrecy enabled

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication required
  • Principle of least privilege
  • Session timeout and automatic logout

Infrastructure

  • CIS-hardened compute instances
  • Network segmentation and isolation
  • DDoS protection via Cloudflare
  • Redundant EU data centers

Data Protection

  • Logical tenant isolation
  • Automated backup and recovery
  • Data retention policies
  • Secure deletion procedures

Personnel

  • Background checks for all employees
  • Security awareness training
  • Confidentiality agreements
  • Access reviews and audits

Monitoring

  • 24/7 security monitoring
  • Intrusion detection systems
  • Comprehensive audit logging
  • Incident response procedures

Incident Response

We maintain a documented incident response procedure that includes:

  • Detection and classification within 15 minutes
  • Containment procedures for various incident types
  • Customer notification within 72 hours for data breaches
  • Post-incident analysis and improvement

Compliance

SPNT is designed to support compliance with:

  • GDPR (General Data Protection Regulation)
  • SOC 2 Type II (in progress)
  • ISO 27001 (roadmap)

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. Please report security issues to security@spnt.io. We aim to acknowledge reports within 24 hours and provide updates on remediation progress.

Questions

For security-related questions or to request additional documentation, contact our security team at security@spnt.io.