How Sanity handles your data
Sanity implements comprehensive security measures while meeting the best practice compliance obligations in the industry. These rigorous security and compliance procedures are employed to ensure that users feel trusted and confident about sharing their most critical assets.
An effective IT security program is a stepping stone to success in businesses and Sanity takes this responsibility very seriously. Sanity uses security and compliance protocols to ensure whether you’re aiming for GIAC Security Essentialsor ISO 27001, you’re covered. In the next section, we will explore in depth about how Sanity empowers businesses to meet digital security standards.
SOC 2 type 1 Compliance
Sanity is certified with SOC 2 Type 1 and therefore demonstrates that they are appropriately protecting data within their systems. This certification also allows users to request for a “right to audit” at any point. This in turns assures users that their sensitive data is handled with care.
General Data Protection Regulation (GDPR)
Sanity is thoroughly GDPR complaint and employs best practices for security and privacy to protect users’ data. It also provides users with clear information about how their data is managed as well as information about their right to access, object and restrict data. Users are provided with tools such as - data retrieval via GROQ query language, custom data retention policies, and APIs for permanent data deletion - which helps them to remain GDPR complaint themselves.
Payment Card Industry Data Security Standard (PCI DSS)
Sanity uses Stripe payment processor to handle all credit card and payment information. Stripe has been audited by an independent PCI Qualified Security Assessor and certified as a Level 1 service provider in the payments industry - meaning they meet some of highest certification requirements available to processors worldwide.
Sanity is hosted on Google Cloud Platform which undergoes frequent security audits for a variety of security scrutinies such as ISO 27001, ISO 27017, ISO 27018, SOC 2, SOC 3, CSA STAR, HIPAA, and PCI DSS.
Data Retention and Removal
Sanity removes or anonymises all data as soon as possible after it is no longer needed, with a short grace period and backup retention periods stated in their service agreement to allow for accidental or malicious removal. Users can also contact them if they wish their personal information to be removed from their servers entirely.
Data Access Control
To ensure the security of customer data, employees have access only to systems required for their role. The central resources are accessed using two-factor authentication, which requires an account with Google or Github. All remote connections are encrypted either through HTTPS transport level security or VPN connections. Employees will never directly interact with any customers' controlled assets unless it's necessary due to support reasons and, in that case, will generally ask for the permission first.
High Availability, Backups and Disaster Recovery
Sanity is equipped with fully redundant and distributed systems, operating across multiple data centers. This means that if one component failed, the others would continue to work as normal - providing relief for the businesses during disasters like natural ones or cyberattacks.
Sanity has real-time data replication systems across multiple data centers as well as continuous data back-up of their databases to remote storage in several locations across the EU regions. Databases can be restored to any point in time within the past 30 days with per-transaction precision.
For disaster recovery purposes, all of the backed-up data is copied to a separate cloud account in another geographic region. This is done using dedicated physical authentication devices from clean computers and protected with strict access controls that only allow two Sanity employees to access it at any given time period.