Security

Security at SprintBee

SprintBee runs planning poker rooms for agile teams, which means we handle sign-in details, room content, and sometimes a connection to your Jira site. This page explains, concretely, how that data is protected, who else touches it, and how to report a problem.

Last updated: July 4, 2026

How SprintBee handles your data

SprintBee is hosted entirely on Amazon Web Services (AWS), running in a private network (VPC) with no direct public access to the database. The application runs on ECS Fargate behind a load balancer and CloudFront, and data is stored in a managed PostgreSQL database (Amazon RDS) that is not publicly reachable from the internet.

We are a small team, not a certified security vendor. We do not currently hold SOC 2, ISO 27001, or similar certifications, and we don't want to imply otherwise. What follows is a plain description of the controls we actually have in place today.

Encryption

All public traffic to SprintBee is served over HTTPS. Requests over plain HTTP are redirected to HTTPS, and our CDN and load balancer are both configured to accept only modern TLS versions (TLS 1.2 and 1.3), with certificates managed through AWS Certificate Manager.

Our primary database has storage encryption enabled at the infrastructure level. Room passwords, where a moderator sets one, are never stored in plain text — they're hashed with scrypt (a salted, computationally expensive hash) and compared using a timing-safe check. OAuth tokens for connected Jira sites are encrypted at the application layer with AES-256-GCM before they're written to the database, using a key that can be rotated independently of the tokens themselves.

Authentication

SprintBee doesn't store passwords for your account. Signing in works by emailing you a one-time code through Amazon Cognito; there's no password for an attacker to guess, reuse, or leak from another breach.

Session tokens are short-lived, signed by Cognito, and verified on every request against Cognito's published signing keys. Our site-admin console is protected by a completely separate Cognito user pool that additionally requires TOTP multi-factor authentication — there is no path to admin access with sign-in code alone.

Payments

Billing is handled by Stripe. When you subscribe or update payment details, you're taken to a Stripe-hosted checkout or billing portal — SprintBee's servers never see, transmit, or store your card number, expiry date, or CVC. We only keep the identifiers Stripe gives us back (like a customer or subscription ID) so we know what plan an account is on.

Room access controls

Every room has a shareable room code, and a moderator can regenerate that code at any time — useful if it was shared somewhere it shouldn't have been, without losing the room's history, queue, or settings.

Pro accounts can layer on additional access controls per room or as an account-wide default: requiring a room password, requiring participants to be signed in, and restricting sign-in to specific email domains (for example, limiting a room to people with an @yourcompany.com address). These controls are optional and off by default on the free plan.

Data retention & deletion

We keep account and room data for as long as needed to provide SprintBee, maintain security, and meet legal obligations, consistent with our Privacy Policy. You can request access to, correction of, or deletion of your personal information at any time.

To request deletion or ask a retention question, contact privacy@sprintbee.net. We may need to verify a request before acting on it, and some information may be retained where required for security, fraud prevention, or legal compliance.

Read the full Privacy Policy

Subprocessors

We rely on a small set of vendors to run SprintBee. We don't sell your data, and we only share it with providers who need it to deliver the service:

  • Amazon Web Services (AWS) — hosting, database, application infrastructure, and email delivery (Amazon SES) for sign-in codes and transactional messages.
  • Amazon Cognito (part of AWS) — authentication: issuing and verifying sign-in codes and session tokens.
  • Stripe — payment processing and subscription billing. Stripe handles and stores all card data directly.
  • Atlassian — only if you connect a Jira site. SprintBee reads and, if you opt in per room, writes back to the specific Jira issues and fields you import into a room. We don't access any other part of your Jira site.
  • Sentry — error and performance monitoring for our web application, configured not to collect personal information by default.

Reporting a vulnerability

If you believe you've found a security issue in SprintBee, we want to hear about it. Email security@sprintbee.net with as much detail as you can (steps to reproduce, affected URLs, and why you think it's a security issue), and we'll follow up with you directly.

Please avoid accessing or modifying data that isn't yours while investigating, and give us a reasonable chance to fix an issue before disclosing it publicly.

Questions?

Still have a security question?

If your team's procurement or security review needs something this page doesn't cover, ask us directly and we'll get you a straight answer.

Ask a security question