Secure by design
Open protocols, clear system boundaries, and minimal data flow instead of opaque platform lock-in.
Trust Center
Security at Sparks
Sparks is built for organizations that need a familiar collaboration experience with strong security controls. This page provides a transparent overview of architecture, encryption, operations, compliance, and security workflows.
Security principles
Data sovereignty first
EU hosting, self-hosting, and hybrid deployment options for regulated environments.
Defense in depth
Layered controls across identity, access, encryption, monitoring, and operations.
Security stack
Our architecture follows established trust-center patterns used by modern cloud and SaaS vendors.
Identity & access
SAML/OIDC SSO, role-based permissions, and tenant-aware isolation for enterprise setups.
Communication protection
Optional Matrix E2EE, protected transport, and per-device cryptographic key handling.
Platform & operations
Clear separation between client, middleware, and backends with hardened runtime operations.
Governance & compliance
Privacy-oriented defaults, documented procedures, and recurring security reviews.
Technical and organizational controls
| Control | How Sparks applies it |
|---|---|
| Encryption in transit | TLS-protected communication between clients, middleware, and integrated systems. |
| End-to-end encryption | Optional for Matrix chat where higher confidentiality is required. |
| Authorization model | Roles and context-aware permissions for chats, channels, files, and integrations. |
| Identity federation | Connection to existing IAM platforms via SAML/OIDC (e.g. Keycloak, Entra ID). |
| Tenant isolation | Separated deployment options for sensitive organizations and stricter compliance needs. |
| Auditability | Operational and integration events can be traced with structured logging strategies. |
Vulnerability & incident management
Security is continuous. Sparks combines prevention, detection, response, and post-incident improvement.
Step 1
Report
Submit vulnerability or incident indicators through our security contact channel.
Step 2
Assess
Triage by severity, impact, and exposure to prioritize remediation.
Step 3
Remediate
Apply targeted mitigations, patches, and configuration updates through staged rollouts.
Step 4
Inform
Provide transparent customer communication and concrete guidance where relevant.
Operating models including air-gapped
Sparks supports multiple operating models depending on your security requirements: fully isolated air-gapped environments, operation by a trusted managed partner, or operation by your own organization - in cloud, hybrid, or on-premise architectures.
For ISO 27001-aligned operations or elevated security requirements, we generally prefer operation by a hosting partner or directly by the customer.
Air-gapped operations
Physically and logically isolated environment without direct internet connectivity for high-security use cases.
Partner-operated
Managed operations by a service partner based on defined security and governance requirements.
Self-operated
Run by your internal team with integration into your SOC, IAM, and operational controls.
Cloud / on-premise / hybrid
Flexible deployment matching your target setup: dedicated cloud, your data center, or both.
Operation according to security requirements
Operations can be aligned with internal and regulatory requirements, for example BIS/BSI-oriented standards, NIS2 expectations, sector-specific security frameworks, or your own corporate security baseline.
- Air-gap and network segmentation requirements
- HSM/KMS and key-management policies
- Logging, retention, and audit requirements
- Role models, four-eyes approval, and change control
Partner models for operations
You can find more details on operating and hosting models in our partner model pages.
View partner modelsShared responsibility
As in modern platform models, security responsibilities are shared between Sparks and customer organizations. We provide secure defaults and robust operations; you control identity policies, roles, endpoints, and internal governance.
Your responsibility
- SSO/MFA policies in IAM
- Role and approval concepts
- Endpoint and device management
- Sensitive data classification
Sparks responsibility
- Product and architecture security
- Secure release and patch workflows
- Operations, monitoring, and incident coordination
- Documentation and technical guidance
Frequently asked security questions
Is Sparks suitable for regulated environments?
Yes. EU hosting, open standards, and optional self-hosting make Sparks a strong fit for organizations with strict data control requirements.
Can I keep my existing security infrastructure?
Yes. Sparks is designed to integrate with existing identity, calendar, file, and communication systems.
Where can I find privacy information?
Legal details on data processing are available on our privacy page.
Align your security requirements
We can map your target architecture together: from EU cloud to hybrid and self-hosting.