Security

Last updated: June 12, 2026

This page gives an overview of the security practices we follow building and operating Sponja.

1. Payment

We process payments with Stripe, a PCI DSS Level 1 certified payment provider. Sponja does not process or store any payment card information.

2. Privacy

Sponja does not sell your personal data. We only share data with service providers as needed to operate the platform, and with integrations you explicitly authorize. The full list of service providers that process customer data, what each one does, and where it is located is published on our Sub-processors page.

You can read more about how we handle your data on our Privacy Policy page. Customers subject to GDPR are covered by our Data Processing Agreement, which applies automatically as part of our Terms of Service.

3. Infrastructure

Sponja is hosted on Vercel, which provides enterprise-grade infrastructure with built-in DDoS protection, automatic HTTPS, and global edge delivery. Our application data is stored on cloud infrastructure providers that maintain their own compliance certifications, including ISO/IEC 27001 and SOC 2. These certifications belong to our infrastructure providers; Sponja's own compliance roadmap is described in the Compliance section below.

4. Encryption

All data is encrypted in transit and at rest. We use TLS/SSL encryption across the Sponja application and API. Sensitive data at rest is encrypted using AES-256.

5. Compliance

SOC 2 Type II is planned for 2026. Until then, this page, the Sub-processors list, and the Data Processing Agreement describe our current controls, and we respond to security questionnaires as part of customer reviews. Email hi@sponja.ai to start one.

6. Data Retention and Deletion

Event content (recordings, transcripts, chat logs, participant data, and generated emails) is retained while your account is active, so you can revisit past events at any time.

You can request deletion at any time by emailing hi@sponja.ai:

• Per event: we delete the event's recordings, transcripts, chat logs, participant data, generated emails, and the associated AI processing records.
• Full account: we delete your account and all associated event content and AI processing records.

Deletion requests are completed within 30 days. Residual copies in backup systems may persist for up to an additional 30 days before being overwritten in the normal course of operations. Billing records are retained for 7 years where required by tax and financial regulations.

Follow-up content you have pushed to a connected email provider (such as Kit) lives in your own account on that platform and is deleted there by you.

7. Development Process

Our application code is reviewed for security vulnerabilities as part of our development workflow. Engineers follow industry best practices for secure development, including input validation, dependency management, and least-privilege access controls.

8. Access Controls

Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis. We use multi-factor authentication for internal systems and review access permissions regularly.

9. Incident Response

We monitor our systems continuously for performance, reliability, and security events. In the event of a data breach that poses a risk to your data, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware of the incident, as required by applicable law.

10. Responsible Disclosure

If you discover a security vulnerability in Sponja, please report it to us at hi@sponja.ai. We will acknowledge your report within 2 business days and work to resolve confirmed issues promptly. We ask that you give us reasonable time to investigate and address the issue before any public disclosure.

11. Contact

For security-related questions or to report a vulnerability:

Email: hi@sponja.ai
Company: Popup Moments Inc., Delaware, USA