SaaS Backup and Recovery Compliance FAQ
How does SpinBackup ensure security and compliance standards for my data?
SpinBackup helps you operationalize the technical safeguards auditors look for without slowing teams down.
Audited & attested:
Spin.AI is SOC 2 Type II audited and supports enterprise compliance programs (HIPAA, PCI DSS, GDPR, and the Data Privacy Framework).
Read more about our Security and Compliance practices
| Security Control Category | HIPAA Security Rules | PCI DSS v4.0.1 | SOC 2 (Trust Services Criteria) | How SpinOne helps (products) |
| Data backup & availability | Contingency planning with data backup & disaster recovery; maintain retrievable copies of ePHI. | Ensure availability of systems; protect backups of account data and verify recoverability. | Availability: backups, restoration and continuity mechanisms meet service commitments. | Automated SaaS backups (1× or 3× daily) across AWS/Azure/GCP with region control; fast, granular restore; support for archived users; 2‑hour incident‑response SLA minimizes downtime. (SpinBackup, SpinRDR) |
| Encryption & key management | Protect ePHI in transit and at rest (addressable) using strong encryption and sound key practices. | Req. 3: strong cryptography for stored cardholder data; formal key management throughout the lifecycle. | Security/Confidentiality: safeguard data in transit and at rest per commitments. | AES‑256 at rest and TLS 1.3 in transit; per‑object encryption keys; customer selects cloud and region. (Platform‑wide) |
| Data retention & disposal (incl. eDiscovery) | Policies for retention and secure disposal; ability to provide patient access to ePHI and support legal discovery. | Minimize retention of account data; secure deletion; document and enforce retention/disposal procedures. | Confidentiality/Privacy: retain and dispose of data in line with commitments and criteria. | Admin‑controlled retention windows; searchable archive/eDiscovery; secure deletion at end of policy; offboarding archives for former users. (SpinBackup, eDiscovery) |
| Ransomware/malware defense & recovery | Protect against malicious software; incident response and timely recovery. | Req. 5 & 12: anti‑malware, incident response, and regular testing/monitoring. | Security/Availability: detect incidents and restore services to meet SLAs. | Behavior‑based ransomware detection, automated isolation and rollback to last clean backup; 2‑hour incident‑response SLA. (SpinRDR + SpinBackup) |
| Data residency & sovereignty | Support contractual/regulatory requirements (e.g., BAAs); control where ePHI is stored. | Align backup locations and protections with organizational/regulatory policies. | Honor geographic restrictions and retention commitments. | Choose cloud (AWS/Azure/GCP) and region; backups remain in‑region; Spin signs BAA/DPA as needed. (Platform‑wide) |
Do you have a Business Continuity Plan in place? If yes, how often is this tested?
We have a formal Business Continuity Plan (BCP). The test exercises are completed at least annually.
Do you carry out any penetration testing, and if so, how often?
An independent penetration testing of Spin.AI critical applications is performed annually and after every major code/functionality change.
Do you have a formal process in place to handle data breaches?
Spin.AI has established a formal Security Incident Response Plan including a Breach Notification process.
How do I support HIPAA, PCI DSS, GDPR, and U.S. privacy requirements?
Use encrypted, auditable backups with defined retention, residency, and access controls, which Spin.AI provides along with SOC 2 Type II attestation and DPF support.
How do legal holds and retention policies work?
Admins can apply holds and set policy-driven retention windows from months to indefinite, and Spin.AI enforces them across data types and users.
Can I run eDiscovery searches and export results for investigations?
Yes—search across users and services, filter results, and export content and audit logs for legal or compliance needs using Spin.AI.
Where can I store data to meet U.S. or international residency needs?
Choose from multiple U.S. regions or other global locations and keep data in region with provider and location controls managed by Spin.AI.
Who can access customer data during operations or support?
Data is encrypted at the object level and support operates without content access, so Spin.AI personnel cannot see your customer data.
