Security Measures

Here we describe how we work with security and GDPR, and let's start with the latter. The largest part of our Terms of Service concerns the handling of personal data and therefore also contains privacy and security aspects. In addition to what is stated in the agreement, we maintain a register of personal data processing, which includes, among other things, what data is stored per storage medium and for how long. We conduct regular reviews to ensure that we comply with GDPR, with the goal of limiting personal data storage and making it more secure.

Our production environment is maintained with regular updates of the operating system (Debian) and server software such as Apache, MariaDB, Tomcat and Java. We do not share servers with other companies. Users' passwords are stored encrypted (hashed) with a salt. Users' files are stored encrypted on the server provided that the user set a password when uploading.

Our software contains mechanisms to detect spam, and to limit the sending of emails and files.

In the development of our software, we follow common rules to prevent SQL injection and Cross-site scripting (XSS). User input is validated on both client and server side. All employee computers have encrypted hard drives.

Planned Measures

We plan to implement the following improvements and measures.

1. Less personal data in outgoing emails: The sender should be able to decide which personal data is sent in the email to the recipient. It should also be possible to require the recipient to identify themselves via email, mobile, or with Swedish BankID.
2. No American subcontractors: Sprend should replace suppliers outside the EU with Swedish or EU-based alternatives.
3. Conduct penetration tests: We should regularly test our production environment against known vulnerabilities.
4. Virus control: Sprend should offer automatic virus scanning of files sent.
5. Higher security at login: Multi-factor authentication for user accounts should be offered.

Arne Evertsson, 2026-02-05