Back to Home

Trust

Last updated: May 30, 2026

sprintrr handles the work your team relies on every day — projects, tasks, AI-generated content, and the credentials you use to integrate with other tools. We take that responsibility seriously. This page is an honest summary of how.

Encryption everywhere

Data is encrypted in transit (TLS 1.2+ with HSTS preload) and at rest (AES-256 vendor-managed). Customer-supplied AI provider keys (BYOK) get an additional application-layer envelope encryption with AES-256-GCM.

Strong authentication

TOTP-based two-factor authentication is available to every user and required for admin accounts. Sign-in is protected by account lockout, breach-corpus checks (HaveIBeenPwned), and global session revocation from Settings.

Least-privilege by default

Row-Level Security policies on every customer-data table mean queries can only see the rows the signed-in user owns or is a team member of. Service-role access is restricted to server-only code paths.

Audited and monitored

Every mutation of customer data, every authentication event, and every security control activation is logged. Logs are immutable for application roles, retained for one year, and reviewed continuously.

Designed for incident response

We follow a written Incident Response Plan with detection → containment → eradication → recovery → post-mortem phases. Severity-1 customer-data breaches are notified within 72 hours per GDPR Art. 33.

Documented and reviewed

Our security program is documented in 17 policies covering access control, change management, incident response, BCP/DR, vendor management, cryptography, privacy, and more. Policies are reviewed at least annually.

Compliance program

SOC 2 Type II

Readiness in progress

We are pursuing internal readiness for SOC 2 Type II covering the Security, Availability, Confidentiality, and Privacy Trust Service Criteria. Once we engage an auditor and complete the observation period, we’ll publish the report here. Enterprise customers under NDA may request a copy of our current internal control map.

ISO/IEC 27001:2022

Readiness in progress

We map our information security controls to ISO/IEC 27001:2022 Annex A and maintain a Statement of Applicability internally. Certification will follow once the management system has matured through a full annual cycle.

GDPR / UK GDPR / CCPA

Aligned

We honor data subject requests (access, rectification, erasure, portability, restriction, objection, withdrawal of consent) per our Privacy Policy with a 30-day response SLA. Account deletion is self-service with a 30-day grace period before permanent purge. Personal-data breaches affecting EU/UK/CA individuals are notified within 72 hours.

Sub-processors

We use a small set of carefully chosen sub-processors for hosting, databases, AI inference, billing, and email. Each one is classified, assessed at onboarding, and reviewed annually.

View the current sub-processor list →

Your data rights

  • Access + portability. Sign in and visit Settings → Data & Privacy to download a JSON archive of every piece of data we hold for you.
  • Rectification. Update your profile and content directly via the app at any time.
  • Erasure. Schedule account deletion from Settings → Data & Privacy. Your account is soft-deleted immediately and permanently purged 30 days later, with a one-click cancel during the grace period.
  • Any other right. Email support@sprintrr.ai. We respond within 30 days per GDPR Art. 12.

Reporting a security issue

If you believe you’ve found a security vulnerability in sprintrr, please email support@sprintrr.ai with details and a proof-of-concept where possible. We acknowledge reports within 2 business days and provide an initial assessment within 5. We do not currently operate a paid bug bounty, but we credit researchers in any related advisory unless they prefer to remain anonymous. Full policy: SECURITY.md.

Talk to us about security

Have a security questionnaire, a procurement review, or a question about how we protect your data? Email support@sprintrr.ai.