SparkVault

Compliance

Our certifications, standards, and regulatory compliance

SparkVault is built on a foundation of security and compliance. We adhere to industry-leading standards and undergo regular third-party audits to ensure our platform meets the highest security requirements.

Certifications & Standards

FIPS 140-2 Level 3

Hardware Security

All cryptographic operations use AWS KMS Hardware Security Modules (HSMs) that are FIPS 140-2 Level 3 validated. This ensures tamper-evident, tamper-resistant hardware with identity-based authentication.

SOC 2 Type II

Trust Services Criteria

Our infrastructure provider (AWS) maintains SOC 2 Type II compliance. We implement controls aligned with SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.

ISO 27001

Information Security Management

Our infrastructure operates within ISO 27001 certified data centers. We follow ISO 27001 aligned information security management practices for our operations.

NIST Standards

Cryptographic Standards

We follow NIST cryptographic standards including SP 800-90B for random number generation and NIST post-quantum cryptography standards (ML-KEM-1024) for future-proof encryption.

Regulatory Compliance

CCPA (California Consumer Privacy Act)

SparkVault complies with CCPA requirements for California residents, including:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

GDPR Readiness

While our servers are located in the US, we implement GDPR-aligned practices:

  • Data minimization—we only collect what's necessary
  • Purpose limitation—data is used only for stated purposes
  • Privacy by design in our encryption architecture
  • Data portability and deletion capabilities
  • Clear privacy notices and consent mechanisms

HIPAA Considerations

SparkVault's Zero-Trust architecture provides strong technical safeguards suitable for handling sensitive data. For healthcare organizations:

  • End-to-end encryption meets encryption requirements
  • Audit logging for access tracking
  • Access controls and authentication
  • Business Associate Agreements (BAAs) available upon request

Note: Organizations must conduct their own compliance assessment to determine suitability for PHI storage.

PCI DSS Considerations

For organizations handling payment card data:

  • Strong encryption for data at rest and in transit
  • Strict access controls and authentication
  • Audit trails and logging capabilities
  • Payment processing handled by PCI-compliant Stripe

Note: SparkVault can be part of a PCI-compliant architecture, but organizations are responsible for their overall PCI compliance.

Data Location & Sovereignty

United States

All SparkVault data is stored and processed exclusively in AWS data centers located in the United States. We do not transfer data to other countries. This ensures compliance with US data protection laws and provides clear jurisdictional boundaries.

Security Practices

Access Control

  • • Role-based access control (RBAC)
  • • Multi-factor authentication for staff
  • • Principle of least privilege
  • • Regular access reviews

Monitoring & Logging

  • • 24/7 security monitoring
  • • Comprehensive audit logs
  • • Anomaly detection
  • • Incident alerting

Development Security

  • • Secure SDLC practices
  • • Code review requirements
  • • Automated security scanning
  • • Dependency vulnerability monitoring

Incident Response

  • • Documented incident response plan
  • • Defined escalation procedures
  • • Regular tabletop exercises
  • • Post-incident reviews

Subprocessors

We use the following third-party services to deliver our platform:

Subprocessor Purpose Location
Amazon Web Services Cloud infrastructure, key management, data storage United States
Stripe Payment processing United States
Cloudflare CDN, DDoS protection, DNS Global (edge network)

Compliance Documentation

Enterprise customers can request additional compliance documentation:

  • Security questionnaire responses (SIG, CAIQ)
  • Penetration test summaries
  • Business Associate Agreements (BAA)
  • Data Processing Agreements (DPA)
  • SOC 2 reports (via AWS)

Contact [email protected] for compliance documentation requests.

Contact

Compliance Inquiries
Email: [email protected]

Security Team
Email: [email protected]