# Security & Compliance

Spara is built to be enterprise-grade, so security and compliance are paramount to us.<br>

#### What compliance frameworks does Spara conform to and audit?

Spara is SOC 2 Type II and GDPR compliant. Please visit our [Trust Center](https://app.vanta.com/spara/trust/4kaeqmrw0tvtd35pbucd5) for:

* Latest reports
* Company policies
* Subprocessor information and notification subscription

#### What is Spara's privacy policy?

Spara's privacy policy is available on our website at [spara.co/privacy](https://spara.co/privacy)*.*

#### Where is Spara hosted? <a href="#where-is-gitbook-hosted" id="where-is-gitbook-hosted"></a>

We are hosted on [**Google Cloud**](https://cloud.google.com/security/overview/), which is backed by the same infrastructure and security that Google uses for its own services.

Customer data is stored in U.S. data centers. Some data (HTML pages & assets) may be cached in other geographies by our CDN. Access to private content through our CDN is always validated through our application servers using a complex permissions system.

Google follows or even leads most of the industry's best-practices and is compliant with most major security [standards and certifications](https://cloud.google.com/security/compliance/).

#### Is customer data encrypted? <a href="#is-customer-data-encrypted" id="is-customer-data-encrypted"></a>

Yes, all customer data is encrypted at rest and in-transit via Cloudflare. At rest on Google Cloud Platform, using [multiple layers of AES256-AES128](https://cloud.google.com/security/encryption-at-rest/default-encryption/resources/encryption-whitepaper.pdf).

#### How does Spara handle PII?

PII is only stored on our production database with strict RBAC. All data is anonymized before porting to lower environments.

{% hint style="info" %}
Contact your customer support representative for details on PII retention and deletion.
{% endhint %}

#### How are users authenticated? <a href="#how-are-users-authenticated" id="how-are-users-authenticated"></a>

Spara supports SSO/SAML authentication as well as email/password authentication. In the case of email/password authentication Spara requires the password to be:

* At least 8 characters long.
* At least one uppercase character
* At least one lowercase character
* At least one number
* Not be a known compromised password

#### Are inactive user automatically logged out of Spara Platform?

Yes. By default, inactive users are logged out after 24 hours of inactivity. You can update this setting to any length of time in order to comply with your company's compliance mandate.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.spara.com/developers/spara-api/security-and-compliance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.