Spotify Plugins for Backstage Security

This page addresses commonly asked questions related to information security for Backstage, specifically as it pertains to the Spotify Plugins for Backstage bundle.
Please note that Spotify Plugins for Backstage are installed locally in the customer's environment and do not process or host any customer data, except for the Insights module which, if enabled by the customer, collects limited data about customer's usage of Backstage such as number of active users and page views.

Spotify is committed to protecting physical and electronic information assets by preserving their confidentiality, integrity, and availability. Spotify aims to implement security measures which are appropriate, based on the risks to Spotify systems and data and possible harm to individuals. This is ultimately to protect Spotify systems and data and to preserve and maintain legal, regulatory and contractual compliance, operating in line with industry standards and the trust our customers place in us.

Information Security Program

Spotify maintains a comprehensive data security program that implements appropriate administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of data.

Compliance, Privacy & Data Security

Spotify has a comprehensive data protection compliance program covering applicable data protection requirements, including the General Data Protection Regulation(GDPR), California Consumer Privacy Act and the Payment Card Industry Data Security Standard (PCI DSS).

This program includes:

  • Internal privacy policies and processes (including on data retention, data subject access requests, and privacy by design),
  • Privacy Risk Assessments and Data Protection Impact Assessments,
  • Records of processing,
  • A vendor assessment process,
  • External privacy policies,
  • Security incident response plans, and
  • Security measures to ensure the process, storage, or transmission of credit card information is conducted in a secure manner.

Information Security Awareness & Training

Spotify personnel are trained on maintaining security best practices including insider threat, access control, data protection and the confidentiality of data as required by applicable laws and regulations.

Access Control and Authentication

  • We use Two-Factor Authentication (2FA) to protect all source code and data.
  • Access is given on a need to know basis, only developers working on Backstage products have access to source code.
  • Access for employees and subcontractors is automatically added and removed when they join or leave the project.

Secure Software Development

Secure coding principles and guidelines are established within Spotify and applied to software development. These guidelines support engineers to reduce the number of potential information vulnerabilities to securely develop applications. Secure coding principles include:

  • Guidance on security in the software development lifecycle.
  • Source Code Control System (SCCS) when conducting software development to track changes and assist in bug remediation.
  • Automated code scans and dependency vulnerability scanning.
  • Change management process to ensure process integrity.
  • Processes in place to ensure that system development outsourced to third parties is developed using practices no less stringent than those outlined in this document.
  • All products are covered by Spotify's bug bounty programme. All bugs found are addressed and disclosed responsibly.

Incident Management

  • Spotify has a formal written incident response plan (IRP), which describes the processes and procedures followed when assessing and responding to potential security incidents.
  • Spotify collaborates with vulnerability finders and shares information with relevant stakeholders such as vendors and customers. Software vulnerabilities get disclosed to the public once a fix has been developed, patched, and/or mitigated through a different solution.

Backup and Recovery

Data is appropriately backed up based on criticality. The data can be promptly recovered in the event of a security incident or other incident that affects access to or the integrity or availability of such data.