Spotify Portal for Backstage

Information Security is important to us!

Spotify Portal for Backstage maintains a comprehensive security program that implements appropriate administrative, technical, and physical security controls to protect the security, confidentiality, and integrity of data.

Security Program Governance

We maintain a governance program that includes personnel security (confidentiality agreements, background checks, and regular security training) and annual risk assessments (enterprise-wide and product-specific). Leadership committees and internal audit teams provide continuous oversight and review of security controls.

Personnel Security

Personnel receive regular training on essential security best practices, covering topics such as phishing, social engineering, insider threat prevention, and data protection.

Third-Party Management

A Vendor Assessment Program ensures suppliers and third-party vendors are risk-rated before onboarding and are monitored according to their risk rating.

Technical Controls & Infrastructure Security

Cloud Operating Model

We operate under a Shared Responsibility Model with Google Cloud Platform (GCP). GCP secures the underlying cloud infrastructure and Spotify Portal for Backstage is responsible for securing the system deployed within GCP.

Network and Data Protection

Standard security practices are employed, including encryption at rest and in transit, data isolation, automated logging and monitoring, and automated daily backups to ensure recoverability.

Access and Authentication

Access is restricted to authorized personnel and managed via an Identity and Access Management (IAM) system. Access is granted based on the principle of least privilege (need-to-know basis). Two-Factor Authentication (2FA) is mandatory for personnel accessing source code and data environments. Access provisioning and de-provisioning are automated and reviewed periodically.

Risk Management

Application Security

Secure coding principles are used throughout the software development lifecycle (SDLC), including security guidance, automated code and dependency vulnerability scanning, and a change management process.

Vulnerability Management

We perform continuous automated scans and conduct annual penetration testing by a third-party vendor to identify security weaknesses. Weaknesses are remediated in accordance with established security policies.

Incident Response and Continuity

Security Incident Management

A formal written Incident Response Plan (IRP) describes the processes and procedures for assessing and responding to potential security incidents.

Business Continuity

Service continuity is ensured through distributed demand, load balancing, DDoS protection, and automated failover. Annual company-wide and product-specific recovery exercises are conducted to validate resilience against regional outages, we conduct annual company-wide and product-specific recovery exercises.

Compliance and Attestation

Spotify Portal for Backstage has a SOC 2 report relevant to the Security Trust Service Criterion. We are committed to annually undergoing a SOC 2 examination by a third-party auditor.

The most recent SOC 2 report is available upon request, subject to a signed Non-Disclosure Agreement (NDA) To request a copy, please contact backstage-support@spotify.com.

Customer Support

Support is provided via the Spotify for Backstage Support Center and email backstage-support@spotify.com during local business hours — 9:00 AM to 5:00 PM, Monday through Friday, in the Americas (ET) and EMEA (UK Time) regions (excluding public holidays).

Questions?

If you have any questions about our security, feel free to reach out to backstage-support@spotify.com.