Sprinkle Docs
  • What is Sprinkle?
  • Quick Start
  • Analysing your data
    • 🔭Analytics Overview
    • 💠Data Models
      • *️Variables
      • 🌲Hierarchies
      • 🤿Column Mask
    • 🎉Switch to New Reports & Dashboards
    • 🆕Reports
      • Overview
      • Build Using Tables
        • Create a new Report
        • Layout and options
        • Build and Format - Overview
        • Apply Row Limits
        • Identify Date Columns
        • Filter your data
        • Visualizations
          • Table
          • Pivot
          • Line Chart
          • Bar Chart
          • Column Chart
          • Area Chart
          • Combo Chart
          • Scatter & Bubble Plot
          • Pie Chart
          • Funnel Chart
          • Stat Card
          • Point Map
          • Heat Map
          • Radial gauge chart
        • Advanced Features
          • Custom Analysis
          • Variables
          • Table & Quick Calculations
          • Drill - Hierarchical & Date
          • Break Out
          • RLS in Table reports
          • Scheduled Exports
          • Embedding Table Reports
      • Build Using Models
        • Create a new report
        • Layout and options
        • Visualizations
        • Advanced Features
      • Build SQL Reports
        • Create a new Report
        • Layout and options
        • Writing a SQL Code on Editor
        • Visualizations
        • Variables in SQL Reports
    • 🆕Dashboards
      • 🌀Filters
      • 👆Click Behaviour
      • ⏰Data Alerts
      • 🗓️Date Drill
      • 📤Scheduled Exports
      • 🔗Embed link
      • 🖥️Dashboard layout
      • 📱Mobile Dashboards
  • Transforming your data
    • 🔰SQL Transform
    • 📓Python Notebooks
  • Integrating your data
    • ☁️Destination Warehouses
      • AWS Athena
        • Manage storage of Flow tables
      • AWS Redshift
      • Azure Synapse
      • Databricks
      • Google BigQuery
      • MySQL
      • Postgres
      • Snowflake
      • SQL Server
      • K8 Setup
        • AWS EKS
        • Google GKE
        • Azure AKS
    • ⚙️Warehouse & Storage Setup
  • Ingesting your data
    • ☄️Data Imports
      • Databases
        • Azure Cosmos DB
        • Azure Table Storage
        • Google BigQuery
        • Mongo DB
        • MySQL DB
        • Oracle DB
        • Postgres DB
        • SQL Server DB
        • Features
          • Ingestion Modes
          • Add Multiple Datasets
          • CDC Setup
            • CDC setup in Mysql
            • CDC setup in Postgres
            • CDC setup in Mongo
            • CDC setup in SQL Server
          • Destination Create Table Clause
          • SSH Tunnel Setup
      • Files
        • AWS S3
        • AWS S3 External
        • Azure Blob
        • FTP
        • Google Cloud Storage
        • Google Sheet
        • SFTP
      • Applications
        • Apple Search Ads
        • Appsflyer
        • Branch
        • Clevertap
        • Facebook Ads
        • Freshdesk
        • Freshsales
        • Google Ads
        • Google Ads V2
        • Google Analytics
        • Google Analytics 4
        • Google Analytics MCF
        • Google Search Console
        • Hubspot
        • Impact Ads
        • Intercom
        • Klaviyo
        • Leadsquared
        • LinkedIn Ads
        • Magento
        • Mailchimp
        • Marketo
        • Mixpanel
        • MoEngage
        • Rocketlane
        • Salesforce
        • SAP S4
        • Shopify
        • Snapchat Marketing
        • TikTok Ads
        • WooCommerce
        • Zendesk Chat
        • Zendesk Support
        • Zoho Analytics
        • Zoho Books
        • Zoho CRM
        • Zoho Desk
        • Zoho Invoice
        • Zoho Subscription
      • Events
        • Apache Kafka
        • AWS Kinesis
        • Azure EventHub
    • 📤File Uploads
    • 🤖API Pulls
    • 🕸️Webhooks
  • Collaborating on data
    • 📤Sharing
    • 💬Comments
    • ⚡Activity
    • 🏷️Labels
  • Managing Schedules and Data Refreshes
    • ⏱️Schedules
    • 🔔Notifications
  • User Management
    • 🔑Access Management
    • 🧑‍🤝‍🧑Groups
    • 📂Folders
    • 🔄Syncing users, groups and RLS
    • 📧Azure AD Integration
  • Data Security & Privacy
    • 🔐Security at Sprinkle
    • 📄GDPR
    • 📄Privacy Policy
  • Release Notes
    • 📢Release Notes
      • 🗒️Release Notes - v12.1 (New)
      • 🗒️Release Notes - v12.0
      • 🗒️Release Notes - v11.0
      • 🗒️Release Notes - v10.8
      • 🗒️Release Notes - v10.7
      • 🗒️Release Notes - v10.6
      • 🗒️Release Notes - v10.5
      • 🗒️Release Notes - v10.4
      • 🗒️Release Notes - v10.3
      • 🗒️Release Notes - v10.2
      • 🗒️Release Notes - v10.1
      • 🗒️Release Notes - v10.0
      • 🗒️Release Notes - v9.31
      • 🗒️Release Notes - v9.30
      • 🗒️Release Notes - v9.29
      • 🗒️Release Notes - v9.28
      • 🗒️Release Notes - v9.27
      • 🗒️Release Notes - v9.25
      • 🗒️Release Notes - v9.24
      • 🗒️Release Notes - v9.23
      • 🗒️Release Notes - v9.22
      • 🗒️Release Notes - v9.21
      • 🗒️Release Notes - v9.20
      • 🗒️Release Notes - v9.19
      • 🗒️Release Notes - v9.18
      • 🗒️Release Notes - v9.17
      • 🗒️Release Notes - v9.16
      • 🗒️Release Notes - v9.14
      • 🗒️Release Notes - v9.13
      • 🗒️Release Notes - v9.12
      • 🗒️Release Notes -v9.8
      • 🗒️Release Notes - v9.7
      • 🗒️Release Notes - v9.6
      • 🗒️Release Notes - v9.5
      • 🗒️Release Notes - v9.4
      • 🗒️Release Notes - v9.3
      • 🗒️Release Notes - v9.2
      • 🗒️Release Notes - v9.1
      • 🗒️Release Notes - v9.0 (Major)
      • 🗒️Release Notes - v7.23
      • 🗒️Release Notes - v7.21
      • 🗒️Release Notes - v7.20
      • 🗒️Release Notes - v7.15
      • 🗒️Release Notes - v7.14
      • 🗒️Release Notes - v7.13
Powered by GitBook
On this page
  • Data Retention
  • Customer Metadata
  • Customer Data
  • Encryption at Rest
  • Network security / Encryption in motion
  • Web portal/ API
  • Data through connectors
  • Infrastructure
  • Credential Management
  • User authentication
  • Password based authentication
  • OAuth based Single sign-on
  • Access control and Audit
  • Human Access to Infrastructure
  • PII handling
  1. Data Security & Privacy

Security at Sprinkle

PreviousAzure AD IntegrationNextGDPR

Last updated 1 year ago

Sprinkle data provides a secure environment to customers and keeps all the data safe, by following industry standard practices for security. Sprinkle data follows security by design for building the product, any new feature or improvement. Following sections document various facets of security at Sprinkle.

Data Retention

Customer Metadata

User data of customers is stored in Database and will be deleted immediately when the customer’s organization is removed.

Data points for storage or warehouse drivers, datasource connectors, metadata for reports, queries, dashboards are all stored in a separate database for each organization, which gets removed immediately whenever a data point is removed or when the organization is removed.

Customer Data

Customer data from the customer's warehouse is never stored in sprinkle infrastructure. And customer data ingested through Sprinkle is never stored in Sprinkle infrastructure, for any datasource other than Webhooks. When a customer creates a project with Sprinkle, it is associated with a storage. All data imported, query result outputs, any other temporary files created are stored in customer storage.

In case of webhook based ingestion, data is stored on sprinkle infrastructure, which gets promoted to customer’s storage every 5 minutes.

Encryption at Rest

Sprinkle infrastructure uses cloud based infra (GCP, Azure or AWS), which provides encryption at REST by default for storage in database or Managed disk.

References:

Network security / Encryption in motion

Web portal/ API

  • All connections to web portal or API are encrypted by default using TLS 1.x

  • Any attempt to connect over unencrypted (HTTP) channel are redirected to encrypted channel (HTTPS)

  • All the connections over TLS are authenticated from the origin server.

  • All the connection/ API are protected through Web Application Firewall (WAF) to prevent attacks through known vulnerabilities

Data through connectors

  • Data from all SaaS based connectors is pulled through encrypted channels (HTTPS).

  • Customers can whitelist specific Sprinkle IPs to access data, instead of keeping the connections open to the public. Customers can also create SSH proxy tunnels instead of whitelisting IPs, to provide access to Sprinkle.

Infrastructure

All the production environment lies in a separate Virtual Private Network, which has strict firewall controls over incoming and outgoing traffic.

Credential Management

Data points for storage or warehouse drivers, or datasource connectors can have keys, secrets and passwords. They are stored in encrypted form in a separate database for each organization.

Sprinkle data requires READ permissions for reading data from connectors, WRITE/DELETE permission in warehouses to create/drop tables, and WRITE/DELETE permission in storage for creating/dropping data. If customers grant higher permissions than required, Sprinkle data would never use them.

User authentication

Customer’s organization in Sprinkle can choose password based authentication or OAuth based single sign-on authentication for users.

Password based authentication

  • Sprinkle enforces Password policy to have strong passwords for users with

  • Passwords must be at least 8 chars long with at least 1 number, 1 special char and one capital letter.

  • Sprinkle enforces Account lockout policy to lockout the user account after 3 failed attempts of login.

OAuth based Single sign-on

Customer’s users can sign in with a single sign-on provided by Google or Microsoft.

Access control and Audit

Sprinkle provides Admin level controls, user level controls with different roles and permissions to achieve fine grained control over access to data. More documentation at User permissions and Restrictions.

No developer/engineer will have access to any customer’s organization, other than technical support (only qualified staff are allowed). Technical support will help customers with issues reported for debugging or setup. Support’s login has been protected through single sign-on with Google and MFA enabled.

All the activities on Sprinkle resource will have the audit log. More details in activity docs.

Human Access to Infrastructure

  • Developer/Engineer helping with customer issues will not have access to any Sprinkle infrastructure other than application logs.

  • Only qualified staff are allowed to access Sprinkle infrastructure for doing any deployments, upgrades or configuration changes for the environment.

  • Login to VMs are only with SSH keys, and no password based login allowed, and are allowed only from a jump box, which is further protected to access within VPN.

  • At Sprinkle Data, access to all infrastructure has been protected through MFA.

PII handling

Sprinkle data itself does not handle any PII (personally identifiable information) separately. It is like any other data that a customer is ingesting. Sprinkle provides features to customers to exclude columns or mask columns with 1-way hash to avoid loading PII data to their warehouse.

🔐
https://cloud.google.com/security/encryption-at-rest
https://docs.microsoft.com/en-us/azure/mysql/concepts-security#information-protection-and-encryption https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption https://aws.amazon.com/rds/features/security/ https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default