Sprig

United States

As part of our operations, we obtain and process information, some of which can be used to identify individuals (personally-identi able information, or PII). Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. The data will be: • Accurate and kept up-to-date • Collected fairly and for lawful purposes only • Processed by the company within its legal and ethical boundaries • Protected against any unauthorized or illegal access by internal and external parties The data will not be: • Communicated informally • Stored for more than the amount of time specied in our Terms of Service, Privacy Policy, customer contracts, or other binding agreements • Downloaded to unapproved devices • Transferred to organizations, states, or countries that do not have adequate data protection policies • Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities) In addition to ways of handling the data, Sprig has direct obligations towards people to whom the data belongs. Specifically we must: • Let people know which of their data is collected • Inform people about how we’ll process their data • Inform people about who has access to their information • Have provisions in cases of lost, corrupted, or compromised data • Allow people to request that we modify, erase, reduce, or correct data contained in our databases within legal guidelines specified by company policies or law-enforcement agencies To exercise data protection we’re committed to: • Restrict and monitor access to sensitive data • Develop transparent data collection procedures • Train employees in online privacy and security measures • Build secure networks to protect online data from cyberattacks • Establish clear procedures for reporting privacy breaches or data misuse • Include contract clauses or communicate statements on how we handle data • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

Sprig’s Data Deletion Policy describes how customer data is deleted in connection with the cancellation or termination of a Sprig account. This policy applies to all data collected by Sprig except: • data that resides in any Sprig product or service not covered by this policy • data that resides in third-party services managed and hosted by third parties, with the exception of the company’s infrastructure provider • data that resides in Sprig products or services that are in beta, testing, or an early access program It is Sprig’s policy to store data indefinitely. Sprig may provide the option for customers to delete data after their subscription ends. This request must be made by the customer, and UserLeap may require additional ID verification. Sprig should hard delete all information from currently-running production systems within one quarter of the deletion request. Only the following employees can delete customer data in the event that Sprig is required to do so: • CEO @Ryan Glasgow, VP of Engineering @Amos Barreto, Staff Engineer @Chris Oyler, Head of Data Science @Kevin Mandich

As part of our operations, we obtain and process information, some of which can be used to identify individuals (personally-identiable information, or PII). Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. The data will be: • Accurate and kept up-to-date • Collected fairly and for lawful purposes only • Processed by the company within its legal and ethical boundaries • Protected against any unauthorized or illegal access by internal and external parties The data will not be: • Communicated informally • Stored for more than the amount of time specied in our Terms of Service, Privacy Policy, customer contracts, or other binding agreements • Downloaded to unapproved devices • Transferred to organizations, states, or countries that do not have adequate data protection policies • Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities) In addition to ways of handling the data, Sprig has direct obligations towards people to whom the data belongs. Specifically we must: • Let people know which of their data is collected • Inform people about how we’ll process their data • Inform people about who has access to their information • Have provisions in cases of lost, corrupted, or compromised data • Allow people to request that we modify, erase, reduce, or correct data contained in our databases within legal guidelines specified by company policies or law-enforcement agencies To exercise data protection we’re committed to: • Restrict and monitor access to sensitive data • Develop transparent data collection procedures • Train employees in online privacy and security measures • Build secure networks to protect online data from cyberattacks • Establish clear procedures for reporting privacy breaches or data misuse • Include contract clauses or communicate statements on how we handle data • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

United States

Cloud hosted

AWS

no

Sprig’s Data Deletion Policy describes how customer data is deleted in connection with the cancellation or termination of a UserLeap account. This policy applies to all data collected by Sprig except: • data that resides in any Sprig product or service not covered by this policy • data that resides in third-party services managed and hosted by third parties, with the exception of the company’s infrastructure provider • data that resides in Sprig products or services that are in beta, testing, or an early access program It is Sprig’s policy to store data indefinitely. Sprig may provide the option for customers to delete data after their subscription ends. This request must be made by the customer, and UserLeap may require additional ID verification. Sprig should hard delete all information from currently-running production systems within one quarter of the deletion request. Only the following employees can delete customer data in the event that Sprig is required to do so: • CEO @Ryan Glasgow, VP of Engineering @Amos Barreto, Staff Engineer @Chris Oyler, Head of Data Science @Kevin Mandich

no

2023-01-23

yes

Okta

yes

no

security@sprig.com

yes

no

no

no

n/a

no