SOC 2 Type 2 Certified

• SOC2 Type 2 audit is completed annually by Schneider Downs
• Active monitoring through Drata

Antivirus Deployment

• All assets/files are scanned on S3 by an antivirus
• All personnel have to certify to follow SOC-2 and comply to having an antivirus active

File integrity (host) and network intrusion detection (IDS) tools implemented

• AWS WAF, Guard Duty

Internal and External Vulnerability scans

• All systems and application are patched regularly
• intruder.io automatic vulnerability testing
• Drata scan for SOC-2
• Bugcrowd Penetration test yearly
• Automated source code analysis tool to detect security defects in code prior to production

Personnel Training

• All personnel are required to attend annual security awareness training, including techniques to recognize phishing attempts
• Developers have to attend formal software security training

Third Party Management

• Documented and managed processes in place to identify and manage cyber supply chain risks (i.e. ensuring that software and hardware components used, as part of delivering a service or product, do not present a risk)
• Agreements with third parties address confidentiality, audit, security, and privacy, including but not limited to, incident response and notification, ongoing monitoring, return of data, and secure disposal of client scoped data

System Monitoring

• Applications and systems provide granular and comprehensive logging
• Sufficient detail is contained in the infrastructure, operating system, and application logs to support security incident investigations (for example, successful and failed login attempts, and changes to sensitive configuration settings and files)
• Audit logs are centrally stored and retained
• Production data processing environments are monitored continuously (24x7) for security threats, malicious events, denial of service, intrusion detection
• Automated system (Datadog) is in place to review and correlate log and/or behavioral events
• Log data retained for at least one year with immediate access availability

System Design Documentation

• Superside is currently in the process of mapping out a more complete understand of data flows and processes

Service Lifecycle:

• There is a formal Software Development Life Cycle (SDLC) process
• There a documented change management/change control process for applications with Scoped Data

Security Governance

• Superside maintains an information security policy that has been approved by management, communicated to appropriate constituents, and updated regularly
• Information Security Policy is reviewed at least once a year

Network Operations

• Application backend is shielded by an API gateway, all communication is https encrypted (AES256)
• Network technologies are used to isolate critical and sensitive systems into network segments separate from those with less sensitive systems

Incident Response

• Superside has a documented security incident response plan
• The Incident Response Plan includes a process for assessing and executing client and third party notification requirements (legal, regulatory and contractual)
• Superside has a predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations

PII Data Privacy

• Superside is compliant with GDPR
• https://www.superside.com/privacy

Identity & Access Management

• During the onboarding and offboarding process, we request and receive approval for access to systems transmitting, processing or storing Scoped Systems and Data
• Superside deprovisions, revocates &/or modifies user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties
• Secure session management is implemented
• Controls are in place to prevent unauthorized access to our application, program, or object source code, and is restricted to authorized personnel only
• Policies and procedures are established for permissible storage and access of identities used for authentication
• Platform and data appropriate encryption is implemented - AES-256 encryption algorithm
• There is a segregation of duties between personnel responsible for key management duties and those responsible for normal operational duties
• key management policies bind keys to identifiable owners through unique personal accounts
• Shared data encryption keys are changed at the end of a defined life cycle period, when keys are compromised, or upon termination/transfer of personnel with access to the keys
• Access logs are retained for 1 year
• Single Sign On (SAML) can be provided

Data Management

• All connections outside our networks use https, no http allowed
• AWS Application Load Balancer ELBSecurity Policy-TLS-1-2-2017-01
• Web Server Certificates are handled in AWS ACM
• Scoped Data is encrypted with AES-256 encryption algorithm
• All data used on the test environments is sanitized before usage
• Policy and processes are in place to ensure the timely secure disposal of Scoped Data on all systems including third party systems

Change Management

• Operational change management/Change Control policy / program has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy
• The change control process includes a formal process to ensure clients are notified prior to changes being made which may impact their service
• Information security requirements are specified and implemented when new systems are introduced, upgraded, &/or enhanced
• The change control process requires approval from authorized personnel based on change description, impact of change, test results, and back-out plan prior to changes being implemented in the production environment

Business Continuity

• Business Continuity Plan (BCP) has been approved by management, communicated to appropriate constituents, and is updated regularly and is tested once a year
• Disaster Recovery Plan (DRP) has been approved by management, communicated to appropriate constituents, and is updated regularly
• Operational change management/Change Control policy or program has been documented, approved by management, communicated to appropriate Constituents and assigned an owner to maintain and review the policy

Back Up Management

• Backups are encrypted at rest (AES256GCM) and follow SOC-2 requirements
• We locate backups in multiple AWS availability zones and regions
• Backup or redundancy mechanisms are tested once a year
• Backups multiple AWS regions are automation to recover within minutes

Check our Bug Bounty Program Policy here.