SparkVault

Compliance

Our certifications, standards, and regulatory compliance

SparkVault is built on a foundation of security and compliance. We adhere to industry-leading standards and undergo regular third-party audits to ensure our platform meets the highest security requirements.

Certifications & Standards

FIPS 140-2 Level 3

Hardware Security

All cryptographic operations use FIPS 140-2 Level 3 validated Hardware Security Modules (HSMs). This ensures tamper-evident, tamper-resistant hardware with identity-based authentication.

SOC 2 Type II

Trust Services Criteria

Our infrastructure runs on SOC 2 Type II compliant data centers. We implement controls aligned with SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.

Enterprise Security

Defense in Depth

Our infrastructure operates within certified data centers with multi-layered security controls. We follow industry-standard information security management practices across all operations.

NIST Standards

Cryptographic Standards

We follow NIST cryptographic standards including SP 800-90B for random number generation and NIST post-quantum cryptography standards (ML-KEM-1024) for future-proof encryption.

Regulatory Compliance

CCPA (California Consumer Privacy Act)

SparkVault complies with CCPA requirements for California residents, including:

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising privacy rights

GDPR Readiness

While our servers are located in the US, we implement GDPR-aligned practices:

  • Data minimization:we only collect what's necessary
  • Purpose limitation:data is used only for stated purposes
  • Privacy by design in our encryption architecture
  • Data portability and deletion capabilities
  • Clear privacy notices and consent mechanisms

HIPAA Considerations

SparkVault's Zero-Trust architecture provides strong technical safeguards suitable for handling sensitive data. For healthcare organizations:

  • End-to-end encryption meets encryption requirements
  • Audit logging for access tracking
  • Access controls and authentication
  • Business Associate Agreements (BAAs) available upon request

Note: Organizations must conduct their own compliance assessment to determine suitability for PHI storage.

PCI DSS Considerations

For organizations handling payment card data:

  • Strong encryption for data at rest and in transit
  • Strict access controls and authentication
  • Audit trails and logging capabilities
  • Payment processing handled by PCI-compliant Stripe

Note: SparkVault can be part of a PCI-compliant architecture, but organizations are responsible for their overall PCI compliance.

Data Location & Sovereignty

United States

All SparkVault data is stored and processed exclusively in data centers located in the United States. We do not transfer data to other countries. This ensures compliance with US data protection laws and provides clear jurisdictional boundaries.

Security Practices

Access Control

  • • Role-based access control (RBAC)
  • • Multi-factor authentication for staff
  • • Principle of least privilege
  • • Regular access reviews

Monitoring & Logging

  • • 24/7 security monitoring
  • • Comprehensive audit logs
  • • Anomaly detection
  • • Incident alerting

Development Security

  • • Secure SDLC practices
  • • Code review requirements
  • • Automated security scanning
  • • Dependency vulnerability monitoring

Incident Response

  • • Documented incident response plan
  • • Defined escalation procedures
  • • Regular tabletop exercises
  • • Post-incident reviews

Subprocessors

We use the following third-party services to deliver our platform:

Subprocessor Purpose Location
Cloud Infrastructure Provider Infrastructure, key management, data storage United States
Stripe Payment processing United States
CDN Provider CDN, DDoS protection, DNS Global (edge network)

Compliance Documentation

Enterprise customers can request additional compliance documentation:

  • Security questionnaire responses (SIG, CAIQ)
  • Penetration test summaries
  • Business Associate Agreements (BAA)
  • Data Processing Agreements (DPA)
  • SOC 2 reports (via infrastructure provider)

Contact security@sparkvault.com for compliance documentation requests.

Contact

Compliance Inquiries
Email: compliance@sparkvault.com

Security Team
Email: security@sparkvault.com